From owner-freebsd-pf@FreeBSD.ORG Mon Aug 23 15:21:05 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA09210656A3 for ; Mon, 23 Aug 2010 15:21:05 +0000 (UTC) (envelope-from danno@deathstar.org) Received: from mail.deathstar.org (maniac.deathstar.org [204.42.254.2]) by mx1.freebsd.org (Postfix) with ESMTP id ABE9D8FC15 for ; Mon, 23 Aug 2010 15:21:05 +0000 (UTC) Received: by mail.deathstar.org (Mail Transport, from userid 23454) id 4B646661C753; Mon, 23 Aug 2010 11:16:48 -0400 (EDT) Date: Mon, 23 Aug 2010 11:16:48 -0400 From: Dan Pritts To: Earl Lapus Message-ID: <20100823151647.GD10713@maniac.deathstar.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Sender: Dan Pritts Cc: freebsd-pf@freebsd.org Subject: Re: pf state options X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 15:21:05 -0000 i don't know the answer to your question, but can tell you that there appears to be a bug in "set limit" parsing. it probably won't affect you on states, but just in case, here goes: If i put this in a pf.conf: set limit table-entries 500000 and then try to load a table with more than the default number of entries, it pukes. If i instead make a special /etc/pf.set (name not significant) with just the set limit command, and then do this: /sbin/pfctl -f /etc/pf.set; /sbin/pfctl -f /etc/pf.conf it works as i'd want. I assume this is because the tables are loaded before the limits are raised. oops. On Mon, Aug 23, 2010 at 01:08:50PM +0800, Earl Lapus wrote: > Hi, > > I've setup the following rules in pf.conf > --- > set limit states 20000 > pass in from 192.168.56.100 to any keep state (max 30000) > --- > > It loads perfectly fine. However, if you noticed, the max states value > in the rule (30000) is greater than the hard limit (20000). > So my question is: what is the distinction between the states count > specified in `set limit states (n)` with the `max (n)` specified in a > rule? Are they at all related? > > Cheers! > > -- > There are seven words in this sentence. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" danno -- dan pritts danno@umich.edu 734-929-9770