using interface groups in pf tables stopped working in 13.0-RELEASE

Chris bsd-lists at bsdforge.com
Wed Apr 14 18:09:08 UTC 2021 

On 2021-04-14 11:04, Chris wrote:
> On 2021-04-14 10:44, Peter Ankerstål wrote:
>> const { trusted:network mgmt:network dmz:network
>>>> guest:network edmz:network \
>>>>        admin:network iot:network client:network }
>>>> If I reload the configuration I get the following:
>>>> # pfctl -f /etc/pf.conf
>>>> /etc/pf.conf:12: cannot create address buffer: Invalid argument
>>>> pfctl: Syntax error in config file: pf rules not loaded
>>> Some changes in the pf source have been made over the last couple
>>> of months. The error returned appears to be related. It appears
>>> that your running into a table size/count and memory allocation
>>> related error. The first change moved/changed memory allocation to
>>> kernel space, requiring one to increase allocation via loader.conf(5).
>>> It was recently moved back to userspace allowing one to make changes
>>> to a running system via sysctl.conf(5) or the commandline.
>>> IOW if your on the recent change you should be able to simply
>>> increase your table count by executing something like:
>>> # echo "set limit table-entries <larger-table-count>" | pfctl -m -f -
>>> OTOH if your stuck with the change in kernelspace, increase
>>> net.pf.request_maxcount=
>>> by some amount in loader.conf(5). If you are on the newer userspace
>>> change, you can issue the sysctl(8) command at your terminal for
>>> net.pf.request_maxcount=
>>> as well.
>> 
>> I dont think so. Everything works normally if I switch from group name to 
>> interface name
>> in the config.
> Sure. I only mentioned it because 1) the error you received looked almost 
> exactly
> the same as the one I encountered after the (pf source) changes, 2) alot of 
> work
> has been done recently (as I mentioned above). :-)
> I'll defer to kp@ (Kristof Provost) for more insightful possibilities. As 
> he's done
> most all the recent work. :-)
> 
> --Chris
CC'ing pf@ for better coverage of your problem.

>> 
>> It seems to me that pf for some reason changed how it interprets group 
>> names
>> differently from
>> 12.2-RELEASE-p4 and 13.0-RELEASE.
>> 
>> I dont really get how "anchor in from trusted:network” can resolve to 
>> "anchor in inet6 all”
>> 
>> /Peter.
>> _______________________________________________
>> freebsd-stable at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

More information about the freebsd-stable mailing list