Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Apr 2021 19:44:30 +0200
From:      =?utf-8?Q?Peter_Ankerst=C3=A5l?= <peter@pean.org>
To:        Chris <bsd-lists@bsdforge.com>
Cc:        stable@freebsd.org
Subject:   Re: using interface groups in pf tables stopped working in 13.0-RELEASE
Message-ID:  <157C274F-D5D7-47EB-A910-AF2744A22B64@pean.org>
In-Reply-To: <551fea62780e0a2c5b4748fa3fce8027@bsdforge.com>
References:  <431C3D85-C754-4E1C-94E0-333DE254F0AC@pean.org> <551fea62780e0a2c5b4748fa3fce8027@bsdforge.com>
index | next in thread | previous in thread | raw e-mail 


const { trusted:network mgmt:network dmz:network
>> guest:network edmz:network \
>>        admin:network iot:network client:network }
>> If I reload the configuration I get the following:
>> # pfctl -f /etc/pf.conf
>> /etc/pf.conf:12: cannot create address buffer: Invalid argument
>> pfctl: Syntax error in config file: pf rules not loaded
> Some changes in the pf source have been made over the last couple
> of months. The error returned appears to be related. It appears
> that your running into a table size/count and memory allocation
> related error. The first change moved/changed memory allocation to
> kernel space, requiring one to increase allocation via loader.conf(5).
> It was recently moved back to userspace allowing one to make changes
> to a running system via sysctl.conf(5) or the commandline.
> IOW if your on the recent change you should be able to simply
> increase your table count by executing something like:
> # echo "set limit table-entries <larger-table-count>" | pfctl -m -f -
> OTOH if your stuck with the change in kernelspace, increase
> net.pf.request_maxcount=
> by some amount in loader.conf(5). If you are on the newer userspace
> change, you can issue the sysctl(8) command at your terminal for
> net.pf.request_maxcount=
> as well.

I dont think so. Everything works normally if I switch from group name to interface name
in the config. 

It seems to me that pf for some reason changed how it interprets group names differently from
12.2-RELEASE-p4 and 13.0-RELEASE. 

I dont really get how "anchor in from trusted:network” can resolve to "anchor in inet6 all”

/Peter.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?157C274F-D5D7-47EB-A910-AF2744A22B64>