Date: Fri, 21 Aug 2020 10:01:51 -0700 From: Chris <bsd-lists@BSDforge.com> To: freebsd-stable <freebsd-stable@freebsd.org> Cc: Kristof Provost <kp@FreeBSD.org> Subject: Re: net.pf.request_maxcount: UNDESIRABLE_OID Message-ID: <3c0d5c4fea1d4eb71f68a1837a8a0c4c@udns.ultimatedns.net> In-Reply-To: <A517F339-2E65-48BD-84E9-46208DFDB1E8@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Aug 2020 08:56:12 +0200 Kristof Provost kp@FreeBSD=2Eorg said > On 21 Aug 2020, at 8:53, Chris wrote: > > On Fri, 21 Aug 2020 08:33:16 +0200 Kristof Provost kp@FreeBSD=2Eorg said > > > >> Hi Chris, > > Hello, Kristof=2E Thanks for the reply=2E > > Nice name BTW=2E ;-) > >> > >> On 21 Aug 2020, at 2:40, Chris wrote: > >> > We've been developing an appliance/server based on FreeBSD && > >> > pf(4)=2E We started some time ago, and have been using a very > >> > early version of 12=2E We're now collecting some 20,000,000 > >> > IP's /mos=2E So we're satisfied we're close to releasing=2E As > >> > such, we needed to bring the release up to a supported > >> > (freebsd) version (12-STABLE)=2E We would have done so sooner=2E > >> > But we need a stable (unchanging) testbed to evaluate what > >> > we're working on=2E > >> > We built and deployed a copy of 12-STABLE @r363918 that > >> > contained our work with pf(4)=2E Booting into it failed > >> > unexpectedly with: cannot define table nets: too many > >> > elements=2E Consider increasing net=2Epf=2Erequest_maxcount=2E > >> > pfctl: Syntax error in config file: pf rules not loaded > >> > OK this didn't happen on our testbed prior to the upgrade > >> > with a combined count of ~97,000,900 IPs=2E In fact the OID > >> > mentioned didn't exist=2E > >> > For reference; our testbed provides DNS, www, mail for > >> > ~60 domains/hosts, as well as our pf(4) testing=2E We can > >> > happily load our tables, and run these services w/8Gb > >> > RAM=2E > >> > This OID is more a problem than a savior=2E Why not simply > >> > return ENOMEM? > >> > > >> To quote the commit message: > >> > >> pf ioctls frequently take a variable number of elements as=20 > >> argument=2E This can > >> potentially allow users to request very large allocations=2E These= =20 > >> will fail, > >> but even a failing M_NOWAIT might tie up resources and result in= =20 > >> concurrent > >> M_WAITOK allocations entering vm_wait and inducing reclamation of= =20 > >> caches=2E > >> > >> Limit these ioctls to what should be a reasonable value, but=20 > >> allow users to > >> tune it should they need to=2E > >> > >> Now that pf can be used in vnet jails there=E2=80=99s a possibility of= an=20 > >> attacker using pf to deny service to other jails (or the host) by=20 > >> exhausting memory=2E Imposing limits on pf request sizes mitigates=20 > >> this=2E > > Hadn't considered vnet=2E Thanks for mentioning it=2E > > But why must it be a read-only OID? > > > It doesn=E2=80=99t have to be, and in CURRENT it=E2=80=99s not:=20 > https://svnweb=2Efreebsd=2Eorg/base?view=3Drevision&revision=3D355744 > That hasn=E2=80=99t been MFC=E2=80=99d for the excellent reason that I fo= rgot=2E Good news! >=20 > I=E2=80=99ll try to do that today, after I fix my dev-VM=2E Hope it turns out to be an easy fix for you=2E Thanks for all your time! >=20 > Best regards, > Kristof --Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c0d5c4fea1d4eb71f68a1837a8a0c4c>