Page MenuHomeFreeBSD

pfctl: Point users to net.pf.request_maxcount if large requests are rejected
ClosedPublic

Authored by kp on Jan 21 2019, 3:50 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Mar 25, 10:07 PM
Unknown Object (File)
Feb 18 2024, 7:33 AM
Unknown Object (File)
Feb 10 2024, 6:19 AM
Unknown Object (File)
Dec 20 2023, 3:53 AM
Unknown Object (File)
Dec 12 2023, 4:30 AM
Unknown Object (File)
Oct 28 2023, 7:34 PM
Unknown Object (File)
Oct 21 2023, 4:24 PM
Unknown Object (File)
Oct 20 2023, 8:53 PM
Subscribers

Details

Summary

The kernel will reject very large tables to avoid resource exhaustion
attacks. Some users run into this limit with legitimate table
configurations.

The error message in this case was not very clear:
pf.conf:1: cannot define table nets: Invalid argument
pfctl: Syntax error in config file: pf rules not loaded

If a table definition fails we now check the request_maxcount setting,
and if we've tried to create more than that point the user at
net.pf.request_maxcount:
pf.conf:1: cannot define table nets: too many elements.
Consider increasing net.pf.request_maxcount.
pfctl: Syntax error in config file: pf rules not loaded

PR: 235076

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 22062
Build 21290: arc lint + arc unit

Event Timeline

This revision was not accepted when it landed; it landed in state Needs Review.Jan 28 2019, 8:36 AM
This revision was automatically updated to reflect the committed changes.