Index: sbin/pfctl/pfctl_radix.c =================================================================== --- sbin/pfctl/pfctl_radix.c +++ sbin/pfctl/pfctl_radix.c @@ -58,6 +58,23 @@ static int pfr_next_token(char buf[], FILE *); +static void +pfr_report_error(struct pfr_table *tbl, struct pfioc_table *io, + const char *err) +{ + unsigned long maxcount; + size_t s; + + s = sizeof(maxcount); + if (sysctlbyname("net.pf.request_maxcount", &maxcount, &s, NULL, + 0) == -1) + return; + + if (io->pfrio_size > maxcount || io->pfrio_size2 > maxcount) + fprintf(stderr, "cannot %s %s: too many elements.\n" + "Consider increasing net.pf.request_maxcount.", + err, tbl->pfrt_name); +} int pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags) @@ -89,8 +106,10 @@ io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRADDTABLES, &io)) + if (ioctl(dev, DIOCRADDTABLES, &io)) { + pfr_report_error(tbl, &io, "add table"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; return (0); @@ -110,8 +129,10 @@ io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRDELTABLES, &io)) + if (ioctl(dev, DIOCRDELTABLES, &io)) { + pfr_report_error(tbl, &io, "delete table"); return (-1); + } if (ndel != NULL) *ndel = io.pfrio_ndel; return (0); @@ -134,8 +155,10 @@ io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETTABLES, &io)) + if (ioctl(dev, DIOCRGETTABLES, &io)) { + pfr_report_error(tbl, &io, "get table"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -157,8 +180,10 @@ io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETTSTATS, &io)) + if (ioctl(dev, DIOCRGETTSTATS, &io)) { + pfr_report_error(filter, &io, "get tstats for"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -198,8 +223,10 @@ io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRADDADDRS, &io)) + if (ioctl(dev, DIOCRADDADDRS, &io)) { + pfr_report_error(tbl, &io, "add addresses in"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; return (0); @@ -221,8 +248,10 @@ io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRDELADDRS, &io)) + if (ioctl(dev, DIOCRDELADDRS, &io)) { + pfr_report_error(tbl, &io, "delete addresses in"); return (-1); + } if (ndel != NULL) *ndel = io.pfrio_ndel; return (0); @@ -245,8 +274,10 @@ io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; io.pfrio_size2 = (size2 != NULL) ? *size2 : 0; - if (ioctl(dev, DIOCRSETADDRS, &io)) + if (ioctl(dev, DIOCRSETADDRS, &io)) { + pfr_report_error(tbl, &io, "set addresses in"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; if (ndel != NULL) @@ -275,8 +306,10 @@ io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETADDRS, &io)) + if (ioctl(dev, DIOCRGETADDRS, &io)) { + pfr_report_error(tbl, &io, "get addresses from"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -298,8 +331,10 @@ io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETASTATS, &io)) + if (ioctl(dev, DIOCRGETASTATS, &io)) { + pfr_report_error(tbl, &io, "get astats from"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -318,8 +353,10 @@ io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRCLRTSTATS, &io)) + if (ioctl(dev, DIOCRCLRTSTATS, &io)) { + pfr_report_error(tbl, &io, "clear tstats from"); return (-1); + } if (nzero) *nzero = io.pfrio_nzero; return (0); @@ -341,8 +378,10 @@ io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRTSTADDRS, &io)) + if (ioctl(dev, DIOCRTSTADDRS, &io)) { + pfr_report_error(tbl, &io, "test addresses in"); return (-1); + } if (nmatch) *nmatch = io.pfrio_nmatch; return (0); @@ -365,8 +404,10 @@ io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; io.pfrio_ticket = ticket; - if (ioctl(dev, DIOCRINADEFINE, &io)) + if (ioctl(dev, DIOCRINADEFINE, &io)) { + pfr_report_error(tbl, &io, "define inactive set table"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; if (naddr != NULL)