PF Updating tables in PF

tommiie

tommiie

I am a bit puzzled about updating tables in PF. I can do:
Bash: 
root# pfctl -t blocked_zones -T replace `head /etc/pf-conf.d/blocked_zones`
36009 addresses deleted.
root# pfctl -t blocked_zones -T replace `cat /etc/pf-conf.d/blocked_zones`
/sbin/pfctl: Argument list too long.
root# pfctl -t blocked_zones -T replace -f /etc/pf-conf.d/blocked_zones
pfctl: Invalid argument.

I understand why the second command fails. The command including its arguments (the file contains thousands of lines) is way too long for the shell.
However, I do not understand why the third command (with the -f flag) fails. I've checked the man page but could not see what is wrong.
 
This works:
Code: 
# pfctl -f /etc/pf.conf
# pfctl -t blocked_zones -T show | wc -l
36019
I wonder then why I would use pfctl -t blocked_zones -T replace instead of pfctl -f /etc/pf.conf. I know the latter reloads the entire configuration which might be slow when you have a very large configuration file. But I doubt it would be that slow. Perhaps it resets connections?
 
pf recently started enforcing a maximum number of items that could be added/replaced/deleted/... in once ioctl() call. This helps prevent memory exhaustion attacks.
The limit is set through the net.pf.request_maxcount sysctl.
That *may* be what you're running into there, although I believe there's a warning from pfctl when that happens as well.
You don't mention what version you're running, so I can't check.
 
Kristof: should I best split the huge table in several smaller ones or reload the config with pfctl -f /etc/pf.conf ? Any thoughts? Or it doesn't really matter?
 
You must log in or register to reply here.
Back
Top