On Thu, Jul 21, 2022 at 10:25:09PM +0100, Jason McIntyre wrote:
...
> it looks like the "set limit" text in pf.conf(5) might need some small
> adjustments:
>
> - as well as the "anchors" limit, it does not document "pktdelay-pkts"
>
> - for entries where defaults are not documented, it is not clear whether
> this is an omission or they are just not limited by default (in the
> same way that things like table numbers are limited). those affected
> seem to be src-nodes and pktdelay-pkts
All of these limits have defaults that are sometimes set in the
kernel or with the first pfctl invocation during boot:
/usr/src/sbin/pfctl.c:
1726 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
...
1729 pf->limit[PF_LIMIT_PKTDELAY_PKTS] = PF_PKTDELAY_MAXPKTS;
/usr/include/net/pfvar.h:
#define PFSNODE_HIWAT 10000 /* default source node table size */
...
#define PF_PKTDELAY_MAXPKTS 10000 /* max # of pkts held in delay queue */
> - the two entries for "table-entries" are confusing. it seems to be that
> machines with less than a specific amount of memory have their entries
> limited to the value of _SMALL. but the way it's documented makes that
> unclear. i'm not sure whether the reader needs the names such as
> PFSTATE_HIWAT. i think it's just confusing to list it this way. we
> should probably have one item, table-entries, and say what the default
> is normally, and what it is for lesser memory setups.
/usr/src/sbin/pfctl.c:
1737 if (mem <= 100*1024*1024)
1738 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL;
If the machine has less than 100MB physical memory, ..._SMALL is set for
PF_LIMIT_TABLE_ENTRIES.
> - i think the whole section should just be reduced to a simple list of
> what can be set, and any default values.
>
> here's a stab at tidying up. i've inserted a couple of XXX for where i
> came unstuck.
>
> thoughts? help?
I appreciate where this is going.
mbuhl
> jmc
>
> Index: pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.596
> diff -u -p -r1.596 pf.conf.5
> --- pf.conf.5 27 May 2022 15:45:02 -0000 1.596
> +++ pf.conf.5 21 Jul 2022 21:22:08 -0000
> @@ -1236,65 +1236,56 @@ See
> .Xr pool 9
> for an explanation of memory pools.
> .Pp
> -For example,
> -to set the maximum number of entries in the memory pool used by state table
> -entries (generated by
> +Limits can be set on the following:
> +.Bl -tag -width pktdelay_pkts
> +.It Cm states
> +Set the maximum number of entries in the memory pool used by state table
> +entries (those generated by
> .Ic pass
> rules which do not specify
> -.Cm no state )
> -to 20000:
> -.Pp
> -.Dl set limit states 20000
> -.Pp
> -To set the maximum number of entries in the memory pool used for fragment
> -reassembly to 2000:
> -.Pp
> -.Dl set limit frags 2000
> -.Pp
> -This maximum may not exceed, and should be well below, the maximum number
> -of mbuf clusters
> -.Pq sysctl kern.maxclusters
> -in the system.
> -.Pp
> -To set the maximum number of entries in the memory pool used for tracking
> +.Cm no state ) .
> +The default is 100000.
> +.It Cm src-nodes
> +Set the maximum number of entries in the memory pool used for tracking
> source IP addresses (generated by the
> .Cm sticky-address
> and
> .Cm src.track
> -options) to 2000:
> -.Pp
> -.Dl set limit src-nodes 2000
> -.Pp
> -To set limits on the memory pools used by tables:
> -.Bd -literal -offset indent
> -set limit tables 1000
> -set limit table-entries 100000
> -.Ed
> -.Pp
> -The first limits the number of tables that can exist to 1000.
> -The second limits the overall number of addresses that can be stored
> -in tables to 100000.
> -.Pp
> -Various limits can be combined on a single line:
> -.Bd -literal -offset indent
> -set limit { states 20000, frags 2000, src-nodes 2000 }
> -.Ed
> -.Pp
> -.Xr pf 4
> -has the following defaults:
> -.Bl -column table-entries PFR_KENTRY_HIWAT_SMALL platform_dependent
> -.It states Ta Dv PFSTATE_HIWAT Ta Pq 100000
> -.It tables Ta Dv PFR_KTABLE_HIWAT Ta Pq 1000
> -.It table-entries Ta Dv PFR_KENTRY_HIWAT Ta Pq 200000
> -.It table-entries Ta Dv PFR_KENTRY_HIWAT_SMALL Ta Pq 100000
> -.It frags Ta Dv NMBCLUSTERS Ns /32 Ta Pq platform dependent
> -.El
> -.Pp
> +options).
> +The default is
> +.\" XXX
> +.It Cm frags
> +Set the maximum number of entries in the memory pool used for fragment
> +reassembly.
> +The maximum may not exceed, and should be well below,
> +the maximum number of mbuf clusters
> +.Pq sysctl kern.maxclusters
> +in the system.
> +The default is NMBCLUSTERS/32.
> .Dv NMBCLUSTERS
> defines the total number of packets which can exist in-system at any one
> time.
> Refer to
> .In machine/param.h
> for the platform-specific value.
> +.It Cm tables
> +Set the number of tables that can exist.
> +The default is 1000.
> +.It Cm table-entries
> +Set the number of addresses that can be stored in tables.
> +The default is 200000, or 100000 on machines with
> +lower amounts of physical memory.
> +.\" XXX how much memory triggers _SMALL?
> +.It Cm pktdelay_pkts
> +.\" XXX what is this?
> +.It Cm anchors
> +Set the number of anchors that can exist.
> +The default is 512.
> +.El
> +.Pp
> +Multiple limits can be combined on a single line:
> +.Bd -literal -offset indent
> +set limit { states 20000, frags 2000, src-nodes 2000 }
> +.Ed
> .It Ic set Cm loginterface Ar interface | Cm none
> Enable collection of packet and byte count statistics for the given
> interface or interface group.
>
