Date: Wed, 14 Apr 2021 09:26:42 -0700 From: Chris <bsd-lists@bsdforge.com> To: =?UTF-8?Q?Peter_Ankerst=C3=A5l?= <peter@pean.org> Cc: stable@freebsd.org Subject: Re: using interface groups in pf tables stopped working in 13.0-RELEASE Message-ID: <551fea62780e0a2c5b4748fa3fce8027@bsdforge.com> In-Reply-To: <431C3D85-C754-4E1C-94E0-333DE254F0AC@pean.org> References: <431C3D85-C754-4E1C-94E0-333DE254F0AC@pean.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2021-04-14 07:16, Peter Ankerstål wrote:
> In pf I use the interface group syntax alot to make the configuration more
> readable. All interfaces are assigned to a group representing its use/vlan
> name.
>
> For example:
>
> ifconfig_igb1_102="172.22.0.1/24 group iot description 'iot vlan' up"
> ifconfig_igb1_102_ipv6="inet6 2001:470:de59:22::1/64"
>
> ifconfig_igb1_300="172.26.0.1/24 group mgmt description 'mgmt vlan’ up"
> ifconfig_igb1_300_ipv6="inet6 2001:470:de59:26::1/64”
>
> in pf.conf I use these group names all over the place. But since I upgraded
> to
> 13.0-RELEASE it no longer works to define a table using the :network syntax
> and
> interface groups:
>
> table <nat_addresses> const { trusted:network mgmt:network dmz:network
> guest:network edmz:network \
> admin:network iot:network client:network }
>
> If I reload the configuration I get the following:
> # pfctl -f /etc/pf.conf
> /etc/pf.conf:12: cannot create address buffer: Invalid argument
> pfctl: Syntax error in config file: pf rules not loaded
Some changes in the pf source have been made over the last couple
of months. The error returned appears to be related. It appears
that your running into a table size/count and memory allocation
related error. The first change moved/changed memory allocation to
kernel space, requiring one to increase allocation via loader.conf(5).
It was recently moved back to userspace allowing one to make changes
to a running system via sysctl.conf(5) or the commandline.
IOW if your on the recent change you should be able to simply
increase your table count by executing something like:
# echo "set limit table-entries <larger-table-count>" | pfctl -m -f -
OTOH if your stuck with the change in kernelspace, increase
net.pf.request_maxcount=
by some amount in loader.conf(5). If you are on the newer userspace
change, you can issue the sysctl(8) command at your terminal for
net.pf.request_maxcount=
as well.
HTH
--Chris
>
> I have tried to use just one network, double check the interface group
> setting and
> so on, but with no luck.
>
> to use actual interface works just fine:
>
> table <nat_addresses> { igb1.300:network }
>
> but using the group fails:
>
> # ifconfig -g mgmt
> igb1.300
>
> table <nat_addresses> { mgmt:network }
>
> # pfctl -f /etc/pf.conf
> /etc/pf.conf:12: cannot create address buffer: Invalid argument
> pfctl: Syntax error in config file: pf rules not loaded
>
> Any ideas?
>
> Thanks!
>
> /Peter.
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?551fea62780e0a2c5b4748fa3fce8027>