Date: Wed, 14 Apr 2021 11:09:01 -0700 From: Chris <bsd-lists@bsdforge.com> To: =?UTF-8?Q?Peter_Ankerst=C3=A5l?= <peter@pean.org> Cc: stable@freebsd.org, freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: using interface groups in pf tables stopped working in 13.0-RELEASE Message-ID: <bcbaece23cc0b24e6d43116bc4d3655c@bsdforge.com> In-Reply-To: <771b53037deb44ccc4882c43c838ab59@bsdforge.com> References: <431C3D85-C754-4E1C-94E0-333DE254F0AC@pean.org> <551fea62780e0a2c5b4748fa3fce8027@bsdforge.com> <157C274F-D5D7-47EB-A910-AF2744A22B64@pean.org> <771b53037deb44ccc4882c43c838ab59@bsdforge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2021-04-14 11:04, Chris wrote:
> On 2021-04-14 10:44, Peter Ankerstål wrote:
>> const { trusted:network mgmt:network dmz:network
>>>> guest:network edmz:network \
>>>> admin:network iot:network client:network }
>>>> If I reload the configuration I get the following:
>>>> # pfctl -f /etc/pf.conf
>>>> /etc/pf.conf:12: cannot create address buffer: Invalid argument
>>>> pfctl: Syntax error in config file: pf rules not loaded
>>> Some changes in the pf source have been made over the last couple
>>> of months. The error returned appears to be related. It appears
>>> that your running into a table size/count and memory allocation
>>> related error. The first change moved/changed memory allocation to
>>> kernel space, requiring one to increase allocation via loader.conf(5).
>>> It was recently moved back to userspace allowing one to make changes
>>> to a running system via sysctl.conf(5) or the commandline.
>>> IOW if your on the recent change you should be able to simply
>>> increase your table count by executing something like:
>>> # echo "set limit table-entries <larger-table-count>" | pfctl -m -f -
>>> OTOH if your stuck with the change in kernelspace, increase
>>> net.pf.request_maxcount=
>>> by some amount in loader.conf(5). If you are on the newer userspace
>>> change, you can issue the sysctl(8) command at your terminal for
>>> net.pf.request_maxcount=
>>> as well.
>>
>> I dont think so. Everything works normally if I switch from group name to
>> interface name
>> in the config.
> Sure. I only mentioned it because 1) the error you received looked almost
> exactly
> the same as the one I encountered after the (pf source) changes, 2) alot of
> work
> has been done recently (as I mentioned above). :-)
> I'll defer to kp@ (Kristof Provost) for more insightful possibilities. As
> he's done
> most all the recent work. :-)
>
> --Chris
CC'ing pf@ for better coverage of your problem.
>>
>> It seems to me that pf for some reason changed how it interprets group
>> names
>> differently from
>> 12.2-RELEASE-p4 and 13.0-RELEASE.
>>
>> I dont really get how "anchor in from trusted:network” can resolve to
>> "anchor in inet6 all”
>>
>> /Peter.
>> _______________________________________________
>> freebsd-stable@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bcbaece23cc0b24e6d43116bc4d3655c>