From owner-freebsd-stable@freebsd.org Wed Apr 14 17:44:35 2021 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 43C675E255C for ; Wed, 14 Apr 2021 17:44:35 +0000 (UTC) (envelope-from peter@pean.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4FL8xH0rkPz3n61 for ; Wed, 14 Apr 2021 17:44:35 +0000 (UTC) (envelope-from peter@pean.org) Received: by mailman.nyi.freebsd.org (Postfix) id 1B4A05E255B; Wed, 14 Apr 2021 17:44:35 +0000 (UTC) Delivered-To: stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1B1265E255A for ; Wed, 14 Apr 2021 17:44:35 +0000 (UTC) (envelope-from peter@pean.org) Received: from system.jails.se (system.jails.se [52.16.239.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FL8xG70FZz3nBV for ; Wed, 14 Apr 2021 17:44:34 +0000 (UTC) (envelope-from peter@pean.org) Received: from klein.pean.org (unknown [158.174.80.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by system.jails.se (Postfix) with ESMTPSA id 23F7F32C8C5; Wed, 14 Apr 2021 19:44:31 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: using interface groups in pf tables stopped working in 13.0-RELEASE From: =?utf-8?Q?Peter_Ankerst=C3=A5l?= In-Reply-To: <551fea62780e0a2c5b4748fa3fce8027@bsdforge.com> Date: Wed, 14 Apr 2021 19:44:30 +0200 Cc: stable@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <157C274F-D5D7-47EB-A910-AF2744A22B64@pean.org> References: <431C3D85-C754-4E1C-94E0-333DE254F0AC@pean.org> <551fea62780e0a2c5b4748fa3fce8027@bsdforge.com> To: Chris X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FL8xG70FZz3nBV X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2021 17:44:35 -0000 const { trusted:network mgmt:network dmz:network >> guest:network edmz:network \ >> admin:network iot:network client:network } >> If I reload the configuration I get the following: >> # pfctl -f /etc/pf.conf >> /etc/pf.conf:12: cannot create address buffer: Invalid argument >> pfctl: Syntax error in config file: pf rules not loaded > Some changes in the pf source have been made over the last couple > of months. The error returned appears to be related. It appears > that your running into a table size/count and memory allocation > related error. The first change moved/changed memory allocation to > kernel space, requiring one to increase allocation via loader.conf(5). > It was recently moved back to userspace allowing one to make changes > to a running system via sysctl.conf(5) or the commandline. > IOW if your on the recent change you should be able to simply > increase your table count by executing something like: > # echo "set limit table-entries " | pfctl -m -f - > OTOH if your stuck with the change in kernelspace, increase > net.pf.request_maxcount=3D > by some amount in loader.conf(5). If you are on the newer userspace > change, you can issue the sysctl(8) command at your terminal for > net.pf.request_maxcount=3D > as well. I dont think so. Everything works normally if I switch from group name = to interface name in the config.=20 It seems to me that pf for some reason changed how it interprets group = names differently from 12.2-RELEASE-p4 and 13.0-RELEASE.=20 I dont really get how "anchor in from trusted:network=E2=80=9D can = resolve to "anchor in inet6 all=E2=80=9D /Peter.=