Page MenuHomeFreeBSD

pfctl: Point users to net.pf.request_maxcount if large requests are rejected
ClosedPublic

Authored by kp on Jan 21 2019, 3:50 AM.

Details

Summary

The kernel will reject very large tables to avoid resource exhaustion
attacks. Some users run into this limit with legitimate table
configurations.

The error message in this case was not very clear:
pf.conf:1: cannot define table nets: Invalid argument
pfctl: Syntax error in config file: pf rules not loaded

If a table definition fails we now check the request_maxcount setting,
and if we've tried to create more than that point the user at
net.pf.request_maxcount:
pf.conf:1: cannot define table nets: too many elements.
Consider increasing net.pf.request_maxcount.
pfctl: Syntax error in config file: pf rules not loaded

PR: 235076

Diff Detail

Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 22062
Build 21290: arc lint + arc unit

Event Timeline

kp created this revision.Jan 21 2019, 3:50 AM
kp added a reviewer: network.Jan 21 2019, 3:50 AM
kp set the repository for this revision to rS FreeBSD src repository.
This revision was not accepted when it landed; it landed in state Needs Review.Jan 28 2019, 8:36 AM
This revision was automatically updated to reflect the committed changes.