pfctl: DIOCSETLIMIT

Nick Hilliard nick at foobar.org
Sun Mar 9 11:38:45 UTC 2014 

I have a vanilla freebsd 10.0-RELEASE system running pf with a trivial
configuration (see below). When I attempt to load the configuration, it
returns:

>     # /sbin/pfctl -f /etc/pf.conf
>     No ALTQ support in kernel
>     ALTQ related functions disabled
>     pfctl: DIOCSETLIMIT

As a result, no rules are loaded.  I patched pfctl to show which
index/limit it was failing on:

>     # ./pfctl-custom -f /etc/pf.conf
>     No ALTQ support in kernel
>     ALTQ related functions disabled
>     pfctl: DIOCSETLIMIT: index 4, limit 200000

index 4 refers to PF_LIMIT_TABLE_ENTRIES. I tested this out with a lower
limit using "set limit table-entries 50" in pf.conf but it failed with the
same error:

>     # ./pfctl-custom -f /etc/pf.conf
>     No ALTQ support in kernel
>     ALTQ related functions disabled
>     pfctl: DIOCSETLIMIT: index 4, limit 50

The UMA zone limits look like this:

>     # vmstat -z | egrep -i '(entries|limit)'
>     ITEM                   SIZE  LIMIT     USED     FREE      REQ FAIL SLEEP
>     pf table entries:       160,      0,       2,     123,       2,   0,   0
>     pf frag entries:         32,   5000,       0,       0,       0,   0,   0

Does anyone have any ideas why this might be failing?

Nick

box config:
> # grep "real memory" /var/run/dmesg.boot
> real memory  = 8589934592 (8192 MB)
> # uname -a
> FreeBSD pancake.netability.ie 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root at snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

/etc/pf.conf:
> ext_if="vlan112"
> icmp_types_ipv4 = "echoreq"
> set block-policy drop
> set skip on lo0
> set skip on vlan200
> set skip on vlan250
> table <fail2ban> persist
> scrub in inet all
> block in quick on $ext_if from <fail2ban> to any
> block in log on $ext_if inet  all
> pass out on $ext_if inet  all keep state
> pass in on $ext_if inet proto icmp all icmp-type $icmp_types_ipv4 keep state
> pass in on $ext_if inet proto udp from any to any port { 33433 >< 33626 }
> pass in on $ext_if proto tcp from any to { $ext_if } port ssh flags S/SA keep state
> pass in on $ext_if proto tcp from any to any port domain flags S/SA keep state
> pass in on $ext_if proto udp from any to any port domain
> pass in on $ext_if proto udp from any to any port ntp

More information about the freebsd-pf mailing list