Page MenuHomeFreeBSD
Differential D18909

pfctl: Point users to net.pf.request_maxcount if large requests are rejected
ClosedPublic
Actions

Authored by kp on Jan 21 2019, 3:50 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 18, 10:21 PM
Unknown Object (File)
Sat, Jan 18, 10:11 PM
Unknown Object (File)
Sat, Jan 18, 10:00 AM
Unknown Object (File)
Dec 6 2024, 7:52 AM
Unknown Object (File)
Dec 2 2024, 7:55 PM
Unknown Object (File)
Nov 27 2024, 12:26 AM
Unknown Object (File)
Oct 29 2024, 9:46 AM
Unknown Object (File)
Oct 9 2024, 1:15 AM
View All 70 Files
Subscribers
imp

Details

Reviewers
None
Group Reviewers
network
Commits
rS343520: pfctl: Point users to net.pf.request_maxcount if large requests are rejected
Summary

The kernel will reject very large tables to avoid resource exhaustion
attacks. Some users run into this limit with legitimate table
configurations.

The error message in this case was not very clear:
pf.conf:1: cannot define table nets: Invalid argument
pfctl: Syntax error in config file: pf rules not loaded

If a table definition fails we now check the request_maxcount setting,
and if we've tried to create more than that point the user at
net.pf.request_maxcount:
pf.conf:1: cannot define table nets: too many elements.
Consider increasing net.pf.request_maxcount.
pfctl: Syntax error in config file: pf rules not loaded

PR: 235076

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Jan 21 2019, 3:50 AM
Harbormaster completed remote builds in B22062: Diff 53047.Jan 21 2019, 3:50 AM
kp added a reviewer: network.Jan 21 2019, 3:50 AM
kp set the repository for this revision to rS FreeBSD src repository - subversion.
Herald added a subscriber: imp. · View Herald TranscriptJan 21 2019, 3:50 AM
This revision was not accepted when it landed; it landed in state Needs Review.Jan 28 2019, 8:36 AM
Closed by commit rS343520: pfctl: Point users to net.pf.request_maxcount if large requests are rejected (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sbin/
pfctl/
17 lines

Diff 53294

View Options

head/sbin/pfctl/parse.y

Loading...