Date: Wed, 14 Apr 2021 11:09:01 -0700 From: Chris <bsd-lists@bsdforge.com> To: =?UTF-8?Q?Peter_Ankerst=C3=A5l?= <peter@pean.org> Cc: stable@freebsd.org, freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: using interface groups in pf tables stopped working in 13.0-RELEASE Message-ID: <bcbaece23cc0b24e6d43116bc4d3655c@bsdforge.com> In-Reply-To: <771b53037deb44ccc4882c43c838ab59@bsdforge.com> References: <431C3D85-C754-4E1C-94E0-333DE254F0AC@pean.org> <551fea62780e0a2c5b4748fa3fce8027@bsdforge.com> <157C274F-D5D7-47EB-A910-AF2744A22B64@pean.org> <771b53037deb44ccc4882c43c838ab59@bsdforge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2021-04-14 11:04, Chris wrote: > On 2021-04-14 10:44, Peter Ankerstål wrote: >> const { trusted:network mgmt:network dmz:network >>>> guest:network edmz:network \ >>>> admin:network iot:network client:network } >>>> If I reload the configuration I get the following: >>>> # pfctl -f /etc/pf.conf >>>> /etc/pf.conf:12: cannot create address buffer: Invalid argument >>>> pfctl: Syntax error in config file: pf rules not loaded >>> Some changes in the pf source have been made over the last couple >>> of months. The error returned appears to be related. It appears >>> that your running into a table size/count and memory allocation >>> related error. The first change moved/changed memory allocation to >>> kernel space, requiring one to increase allocation via loader.conf(5). >>> It was recently moved back to userspace allowing one to make changes >>> to a running system via sysctl.conf(5) or the commandline. >>> IOW if your on the recent change you should be able to simply >>> increase your table count by executing something like: >>> # echo "set limit table-entries <larger-table-count>" | pfctl -m -f - >>> OTOH if your stuck with the change in kernelspace, increase >>> net.pf.request_maxcount= >>> by some amount in loader.conf(5). If you are on the newer userspace >>> change, you can issue the sysctl(8) command at your terminal for >>> net.pf.request_maxcount= >>> as well. >> >> I dont think so. Everything works normally if I switch from group name to >> interface name >> in the config. > Sure. I only mentioned it because 1) the error you received looked almost > exactly > the same as the one I encountered after the (pf source) changes, 2) alot of > work > has been done recently (as I mentioned above). :-) > I'll defer to kp@ (Kristof Provost) for more insightful possibilities. As > he's done > most all the recent work. :-) > > --Chris CC'ing pf@ for better coverage of your problem. >> >> It seems to me that pf for some reason changed how it interprets group >> names >> differently from >> 12.2-RELEASE-p4 and 13.0-RELEASE. >> >> I dont really get how "anchor in from trusted:network” can resolve to >> "anchor in inet6 all” >> >> /Peter. >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bcbaece23cc0b24e6d43116bc4d3655c>