pfctl: DIOCSETLIMIT

nick · Mar 7, 2014

I have a vanilla ~~freebsd~~ FreeBSD 10.0-RELEASE system running PF with a trivial configuration (see below). If I attempt to load the configuration, I get:

Code:

# /sbin/pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT
#

As a result, no rules are loaded.

I patched pfctl to show which index/limit it was failing on:

Code:

# ./pfctl-custom -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT: index 4, limit 200000

index 4 refers to PF_LIMIT_TABLE_ENTRIES. I tested this out with a lower limit:

Code:

set limit table-entries 50

but it failed with the same error:

Code:

# ./pfctl-custom -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT: index 4, limit 50

The UMA zone limits look like this:

Code:

# vmstat -z | egrep -i '(entries|limit)'
ITEM                   SIZE  LIMIT     USED     FREE      REQ FAIL SLEEP
pf table entries:       160,      0,       2,     123,       2,   0,   0
pf frag entries:         32,   5000,       0,       0,       0,   0,   0
#

I can't figure out why this is failing. Does anyone have any ideas?

Nick

Configuration:

Code:

# grep "real memory" /var/run/dmesg.boot
real memory  = 8589934592 (8192 MB)
# uname -a
FreeBSD pancake.netability.ie 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
#

Code:

ext_if="vlan112"
icmp_types_ipv4 = "echoreq"
set block-policy drop
set skip on lo0
set skip on vlan200
set skip on vlan250
table <fail2ban> persist
scrub in inet all
block in quick on $ext_if from <fail2ban> to any
block in log on $ext_if inet  all
pass out on $ext_if inet  all keep state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types_ipv4 keep state
pass in on $ext_if inet proto udp from any to any port { 33433 >< 33626 } 
pass in on $ext_if proto tcp from any to { $ext_if } port ssh flags S/SA keep state
pass in on $ext_if proto tcp from any to any port domain flags S/SA keep state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto udp from any to any port ntp

cbrace · Mar 16, 2014

I'm encountering this as well since I upgraded to 10.0-RELEASE. Did you find out what is going on?

nick · Jan 12, 2015

cbrace said:
I'm encountering this as well since I upgraded to 10.0-RELEASE. Did you find out what is going on?

Yep, mismatched userland and kernel. freebsd-update(8) screwed up and only upgraded the kernel. The userland stayed at 9.x. Doing a forced upgrade of the FreeBSD userland fixed the problem.

bthomson · Feb 5, 2015

Bug is filed here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195568

But this worries me. What if this was a security update that didn't get applied? Shouldn't freebsd-update at least notice that the checksum is wrong on /sbin/pfctl and report that?

EDIT: After reading a little more about how it works, I suppose it is best practice to run freebsd-update IDS after every update and make sure nothing suspicious appears. In this case everything is terribly out of date even though the updates seemed to apply successfully.

junovitch@ · Feb 5, 2015

There is an improvement on Phabricator for freebsd-update(8) to help in the situation. It wouldn't prevent someone from only updating a kernel and calling it a day but it would at least prevent installing any other updates until the full upgrade with userland and everything was finished.
https://reviews.freebsd.org/D1550

pfctl: DIOCSETLIMIT

nick

cbrace

nick

bthomson

junovitch@