Re: Is there an upper limit to PF's tables?

2018-06-18 Thread Chris H 

On Mon, 18 Jun 2018 12:08:33 +0200 "Kristof Provost"  said


On 18 Jun 2018, at 0:19, Chris H wrote:
> Sorry. Looks like I might be coming to the party a little late. But 
> I'm
> currently running a 9.3 box that runs as a IP (service) filter for 
> much
> of a network. While I've patched the box well enough to keep it safe 
> to
> continue running. I am reluctant to up(grade|date) it to 11, or 
> CURRENT,

> based on some of the information related to topics like this thread.
> Currently, the 9.3 box maintains some 18 million entries *just* within
> the SPAM related table. The other tables contain no less that 1 
> million.

> As it stands I have *no* trouble loading pf(4) with all of the tables
> totaling some 20+ million entries, *even* when the BOX is working with
> as little 4Gb ram.
> Has something in pf(4) changed, since 9.3 that would now prevent me
> from continuing to use my current setup, and tables?
>
No. There are no new limits in 11, and the only thing that *might* be an 
issue is validation improvements in 12. Still, anything that worked on 9 
is expected to work on 12 (if not, report a bug).

Thank you very much for the informative reply, Kristof!



Please don’t keep running unsupported versions.

You're reply leaves me little reason to think I need, or want to. :-)

Thanks, again!

--Chris


Regards,
Kristof



___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Is there an upper limit to PF's tables?

2018-06-18 Thread Chris H 

On Mon, 18 Jun 2018 12:21:47 +0200 "Kurt Jaeger"  said


Hi!

> > So loading all entries in to empty table works fine, but reloading 
> > didn't work.

> Sorry. Looks like I might be coming to the party a little late. But I'm
> currently running a 9.3 box that runs as a IP (service) filter for much
> of a network. While I've patched the box well enough to keep it safe to
> continue running. I am reluctant to up(grade|date) it to 11, or CURRENT,
> based on some of the information related to topics like this thread.
> Currently, the 9.3 box maintains some 18 million entries *just* within
> the SPAM related table. The other tables contain no less that 1 million.

> As it stands I have *no* trouble loading pf(4) with all of the tables
> totaling some 20+ million entries, *even* when the BOX is working with
> as little 4Gb ram.
> Has something in pf(4) changed, since 9.3 that would now prevent me
> from continuing to use my current setup, and tables?

Well, if you plan to upgrade, I'd suggest you do some tests,
like dumping those tables and loading them on a new box.

At all our installations we did use PF in 9.x times and
had no problems to move to 11.x.

Thanks for the reply, Kurt.
That's good advice, indeed. As that was pretty much my "game plan".
But recently I've seen a few entries on the list, and a few pr(1)'s
regarding the inability to start pf(1), because the tables were too large.
Whereas I hadn't heard anyone mention it in the past. So it seemed prudent
to ask. :-)

Thanks again, Kurt!

--Chris


--
p...@opsec.eu+49 171 31013722 years to go !



___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

[Bug 229092] [pf] [pfsync] States created by route-to rules pfsynced without interface

2018-06-18 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229092

--- Comment #1 from Kajetan Staszkiewicz  ---
I came across an issue preventing this from working correctly when rebooting
hardware: pfsync is started before pf (or in my case before my custom service
populating pf rules. That's a problem, because for route-to interface to be
correctly rebuilt, pf rules must be already present. I'm unsure if changing
this order is a good idea, maybe it is like this for a good reason?

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

[Bug 226850] [pf] Matching but failed rules block without return

2018-06-18 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226850

--- Comment #21 from Kajetan Staszkiewicz  ---
Without this modification only "block" rules would be configured with
return-enabling flag and return ICMP codes. Modification in parse.y ensure that
"pass" rules are getting this information too.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

[Bug 226850] [pf] Matching but failed rules block without return

2018-06-18 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226850

--- Comment #20 from Kristof Provost  ---
(In reply to Kajetan Staszkiewicz from comment #19)
I'm not sure I understand what the changes in 'action   : PASS 
{' (in parse.y) are for. Other than that, I think it's good.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

[Bug 226850] [pf] Matching but failed rules block without return

2018-06-18 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226850

Kajetan Staszkiewicz  changed:

   What|Removed |Added

 Attachment #194340|0   |1
is obsolete||

--- Comment #19 from Kajetan Staszkiewicz  ---
Created attachment 194357
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=194357=edit
Reject connection when rule matched but state was not created

How about this one? Now there is no extra flag (probably better) and "pass"
rules get same set of flags as "block" rules. I'm still testing it but I want
your opinion on it anyway.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Is there an upper limit to PF's tables?

2018-06-18 Thread Kurt Jaeger 
Hi!

> > So loading all entries in to empty table works fine, but reloading 
> > didn't work.
> Sorry. Looks like I might be coming to the party a little late. But I'm
> currently running a 9.3 box that runs as a IP (service) filter for much
> of a network. While I've patched the box well enough to keep it safe to
> continue running. I am reluctant to up(grade|date) it to 11, or CURRENT,
> based on some of the information related to topics like this thread.
> Currently, the 9.3 box maintains some 18 million entries *just* within
> the SPAM related table. The other tables contain no less that 1 million.

> As it stands I have *no* trouble loading pf(4) with all of the tables
> totaling some 20+ million entries, *even* when the BOX is working with
> as little 4Gb ram.
> Has something in pf(4) changed, since 9.3 that would now prevent me
> from continuing to use my current setup, and tables?

Well, if you plan to upgrade, I'd suggest you do some tests,
like dumping those tables and loading them on a new box.

At all our installations we did use PF in 9.x times and
had no problems to move to 11.x.

-- 
p...@opsec.eu+49 171 31013722 years to go !
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: Is there an upper limit to PF's tables?

2018-06-18 Thread Kristof Provost 

On 18 Jun 2018, at 0:19, Chris H wrote:
Sorry. Looks like I might be coming to the party a little late. But 
I'm
currently running a 9.3 box that runs as a IP (service) filter for 
much
of a network. While I've patched the box well enough to keep it safe 
to
continue running. I am reluctant to up(grade|date) it to 11, or 
CURRENT,

based on some of the information related to topics like this thread.
Currently, the 9.3 box maintains some 18 million entries *just* within
the SPAM related table. The other tables contain no less that 1 
million.

As it stands I have *no* trouble loading pf(4) with all of the tables
totaling some 20+ million entries, *even* when the BOX is working with
as little 4Gb ram.
Has something in pf(4) changed, since 9.3 that would now prevent me
from continuing to use my current setup, and tables?

No. There are no new limits in 11, and the only thing that *might* be an 
issue is validation improvements in 12. Still, anything that worked on 9 
is expected to work on 12 (if not, report a bug).


Please don’t keep running unsupported versions.

Regards,
Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"