Solved Can't change the table-entries hard limit with pf

Azrael

Azrael

This has been driving me crazy. I remember I used to be able to do this in the past with older versions of FreeBSD. I can't seem to change the table-entries with pf. I added this to /boot/loader.conf:

Code: 
net.pf.states_hashsize=1048576
net.pf.src_nodes_hashsize=1048576
net.pf.request_maxcount=1000000

I tried this in /etc/pf.conf:

set limit table-entries 300000

As well as this:

set limit { states 200000, frags 200000, src-nodes 100000, table-entries 350000 }

I've rebooted and tried reloading pf, but I see no changes:

Code: 
# pfctl -s memory
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit 200000

Any suggestions?
 
shurik said:
This works for me now on CURRENT. Please check where you place your set limits in config. See also set require-order at pf.conf(5)
Click to expand...

I assume you mean in my /etc/pf.conf for the config. This is the whole file now:

# Declare the table and make it persistent
table <spammers> persist

# Skip filtering on the loopback interface
set skip on lo0

# Try for higher table entries
#set limit table-entries 300000
set limit { states 200000, frags 200000, src-nodes 100000, table-entries 350000 }

# Default block all traffic
block all

# Allow SSH traffic
pass in proto tcp to port { 22 }

# Allow DNS, NTP, and HTTP/HTTPS traffic
pass out proto { tcp udp } to port { 22 53 80 123 443 }

# Allow ICMP echo requests
pass out inet proto icmp icmp-type { echoreq }

# Example rule to block traffic from IPs in the bt_level1 table
block in quick from <spammers>

Do you see anything wrong with the order here?
 
No, it looks good. I put your rules in a temporary config and have configured limits:

# pfctl -f /tmp/pf.conf
# pfctl -s memory
states hard limit 200000
src-nodes hard limit 100000
frags hard limit 200000
table-entries hard limit 350000

So problem is somewhere else.
 
shurik said:
No, it looks good. I put your rules in a temporary config and have configured limits:

# pfctl -f /tmp/pf.conf
# pfctl -s memory
states hard limit 200000
src-nodes hard limit 100000
frags hard limit 200000
table-entries hard limit 350000

So problem is somewhere else.
Click to expand...
What else could cause this? I have a pretty vanilla install of FreeBSD I'm working with here.

EDIT: - I did these steps again in a new vm and it works now. No idea what caused this, but for now this is solved.
 
You must log in or register to reply here.
Back
Top