svn commit: r344020 - stable/11/sbin/pfctl
Kristof Provost
kp at FreeBSD.org
Mon Feb 11 19:08:04 UTC 2019
Author: kp
Date: Mon Feb 11 19:08:03 2019
New Revision: 344020
URL: https://svnweb.freebsd.org/changeset/base/344020
Log:
MFC r343520:
pfctl: Point users to net.pf.request_maxcount if large requests are rejected
The kernel will reject very large tables to avoid resource exhaustion
attacks. Some users run into this limit with legitimate table
configurations.
The error message in this case was not very clear:
pf.conf:1: cannot define table nets: Invalid argument
pfctl: Syntax error in config file: pf rules not loaded
If a table definition fails we now check the request_maxcount sysctl,
and if we've tried to create more than that point the user at
net.pf.request_maxcount:
pf.conf:1: cannot define table nets: too many elements.
Consider increasing net.pf.request_maxcount.
pfctl: Syntax error in config file: pf rules not loaded
PR: 235076
Modified:
stable/11/sbin/pfctl/parse.y
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sbin/pfctl/parse.y
==============================================================================
--- stable/11/sbin/pfctl/parse.y Mon Feb 11 19:08:01 2019 (r344019)
+++ stable/11/sbin/pfctl/parse.y Mon Feb 11 19:08:03 2019 (r344020)
@@ -4728,6 +4728,8 @@ process_tabledef(char *name, struct table_opts *opts)
{
struct pfr_buffer ab;
struct node_tinit *ti;
+ unsigned long maxcount;
+ size_t s = sizeof(maxcount);
bzero(&ab, sizeof(ab));
ab.pfrb_type = PFRB_ADDRS;
@@ -4755,8 +4757,19 @@ process_tabledef(char *name, struct table_opts *opts)
if (!(pf->opts & PF_OPT_NOACTION) &&
pfctl_define_table(name, opts->flags, opts->init_addr,
pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
- yyerror("cannot define table %s: %s", name,
- pfr_strerror(errno));
+
+ if (sysctlbyname("net.pf.request_maxcount", &maxcount, &s,
+ NULL, 0) == -1)
+ maxcount = 65535;
+
+ if (ab.pfrb_size > maxcount)
+ yyerror("cannot define table %s: too many elements.\n"
+ "Consider increasing net.pf.request_maxcount.",
+ name);
+ else
+ yyerror("cannot define table %s: %s", name,
+ pfr_strerror(errno));
+
goto _error;
}
pf->tdirty = 1;
More information about the svn-src-all
mailing list