I have a vanilla freebsd FreeBSD 10.0-RELEASE system running PF with a trivial configuration (see below). If I attempt to load the configuration, I get:
As a result, no rules are loaded.
I patched pfctl to show which index/limit it was failing on:
index 4 refers to PF_LIMIT_TABLE_ENTRIES. I tested this out with a lower limit:
but it failed with the same error:
The UMA zone limits look like this:
I can't figure out why this is failing. Does anyone have any ideas?
Nick
Configuration:
Code:
# /sbin/pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT
#
I patched pfctl to show which index/limit it was failing on:
Code:
# ./pfctl-custom -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT: index 4, limit 200000
Code:
set limit table-entries 50
Code:
# ./pfctl-custom -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT: index 4, limit 50
Code:
# vmstat -z | egrep -i '(entries|limit)'
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf table entries: 160, 0, 2, 123, 2, 0, 0
pf frag entries: 32, 5000, 0, 0, 0, 0, 0
#
Nick
Configuration:
Code:
# grep "real memory" /var/run/dmesg.boot
real memory = 8589934592 (8192 MB)
# uname -a
FreeBSD pancake.netability.ie 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
#
Code:
ext_if="vlan112"
icmp_types_ipv4 = "echoreq"
set block-policy drop
set skip on lo0
set skip on vlan200
set skip on vlan250
table <fail2ban> persist
scrub in inet all
block in quick on $ext_if from <fail2ban> to any
block in log on $ext_if inet all
pass out on $ext_if inet all keep state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types_ipv4 keep state
pass in on $ext_if inet proto udp from any to any port { 33433 >< 33626 }
pass in on $ext_if proto tcp from any to { $ext_if } port ssh flags S/SA keep state
pass in on $ext_if proto tcp from any to any port domain flags S/SA keep state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto udp from any to any port ntp