svn commit: r343520 - head/sbin/pfctl

Kristof Provost kp at FreeBSD.org
Mon Jan 28 08:36:11 UTC 2019 

Author: kp
Date: Mon Jan 28 08:36:10 2019
New Revision: 343520
URL: https://svnweb.freebsd.org/changeset/base/343520

Log:
  pfctl: Point users to net.pf.request_maxcount if large requests are rejected
  
  The kernel will reject very large tables to avoid resource exhaustion
  attacks. Some users run into this limit with legitimate table
  configurations.
  
  The error message in this case was not very clear:
  
      pf.conf:1: cannot define table nets: Invalid argument
      pfctl: Syntax error in config file: pf rules not loaded
  
  If a table definition fails we now check the request_maxcount sysctl,
  and if we've tried to create more than that point the user at
  net.pf.request_maxcount:
  
      pf.conf:1: cannot define table nets: too many elements.
      Consider increasing net.pf.request_maxcount.
      pfctl: Syntax error in config file: pf rules not loaded
  
  PR:		235076
  MFC after:	2 weeks
  Differential Revision:	https://reviews.freebsd.org/D18909

Modified:
  head/sbin/pfctl/parse.y

Modified: head/sbin/pfctl/parse.y
==============================================================================
--- head/sbin/pfctl/parse.y	Mon Jan 28 02:26:05 2019	(r343519)
+++ head/sbin/pfctl/parse.y	Mon Jan 28 08:36:10 2019	(r343520)
@@ -4743,6 +4743,8 @@ process_tabledef(char *name, struct table_opts *opts)
 {
 	struct pfr_buffer	 ab;
 	struct node_tinit	*ti;
+	unsigned long		 maxcount;
+	size_t			 s = sizeof(maxcount);
 
 	bzero(&ab, sizeof(ab));
 	ab.pfrb_type = PFRB_ADDRS;
@@ -4770,8 +4772,19 @@ process_tabledef(char *name, struct table_opts *opts)
 	if (!(pf->opts & PF_OPT_NOACTION) &&
 	    pfctl_define_table(name, opts->flags, opts->init_addr,
 	    pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
-		yyerror("cannot define table %s: %s", name,
-		    pfr_strerror(errno));
+
+		if (sysctlbyname("net.pf.request_maxcount", &maxcount, &s,
+		    NULL, 0) == -1)
+			maxcount = 65535;
+
+		if (ab.pfrb_size > maxcount)
+			yyerror("cannot define table %s: too many elements.\n"
+			    "Consider increasing net.pf.request_maxcount.",
+			    name);
+		else
+			yyerror("cannot define table %s: %s", name,
+			    pfr_strerror(errno));
+
 		goto _error;
 	}
 	pf->tdirty = 1;

More information about the svn-src-head mailing list