[Bug 285081] pf not loading rules at boot time if a large table is involved

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285081] pf not loading rules at boot time if a large table is involved"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 28 Feb 2025 19:42:43 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285081

            Bug ID: 285081
           Summary: pf not loading rules at boot time if a large table is
                    involved
           Product: Base System
           Version: 14.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: dvl@FreeBSD.org

pf is having trouble loading a large file during system startup. After startup,
the file can be loaded manully, without issue. pf recommends a sysctl change:
after implementing that, it does not help.

The following is from the console after startup:

Enabling pfcannot define inactive set table bogons_v6: too many elements.
Consider increasing net.pf.request_maxcount./etc/pf.conf: 152: cannot define
table bogons_v6: too many elements.
Consider increasing net. pf. request_maxcount. pfctl: Syntax error in config
file: pf rules not loaded /etc/rc: WARNING: Unable to load /etc/pf. conf.

I have the following sysctl control:

[19:27 gw01 dvl /etc] % cat /etc/sysctl.conf.local 
net.pf.request_maxcount=350000

(I have tried 550000 - not a fix)

I added that same line to /boot/loader.conf (just in case; it does not fix it).

Let's try boosting the limist in case I was hitting that.  In /etc/pf.conf:

set limit { states 200000, frags 200000, src-nodes 100000, table-entries 350000
}

If I invoke pf at this stage, I get:

[18:45 gw01 dvl ~] % sudo pfctl -f /etc/pf.conf
[18:46 gw01 dvl ~] % sudo pfctl -sm            
states        hard limit   200000
src-nodes     hard limit   100000
frags         hard limit   200000
table-entries hard limit   350000

OK, let's reboot.  After boot, I see this:

[19:33 gw01 dvl ~] % sudo pfctl -sm
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

Inspecting via `pfctl -sa`, the rules are not loaded.

[19:33 gw01 dvl ~] % sudo pfctl -sa | wc -l
'      63


Manually loading, I have success:

[19:33 gw01 dvl ~] % sudo pfctl -f /etc/pf.conf
[19:34 gw01 dvl ~] % sudo pfctl -sm            
states        hard limit   200000
src-nodes     hard limit   100000
frags         hard limit   200000
table-entries hard limit   350000
[19:34 gw01 dvl ~] % sudo pfctl -sa | wc -l
    2030

Ideally, I like to not have to manually intervene after each reboot.

-- 
You are receiving this mail because:
You are the assignee for the bug.