On Thu, Jul 21, 2022 at 10:25:09PM +0100, Jason McIntyre wrote: ... > it looks like the "set limit" text in pf.conf(5) might need some small > adjustments: > > - as well as the "anchors" limit, it does not document "pktdelay-pkts" > > - for entries where defaults are not documented, it is not clear whether > this is an omission or they are just not limited by default (in the > same way that things like table numbers are limited). those affected > seem to be src-nodes and pktdelay-pkts
All of these limits have defaults that are sometimes set in the kernel or with the first pfctl invocation during boot: /usr/src/sbin/pfctl.c: 1726 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; ... 1729 pf->limit[PF_LIMIT_PKTDELAY_PKTS] = PF_PKTDELAY_MAXPKTS; /usr/include/net/pfvar.h: #define PFSNODE_HIWAT 10000 /* default source node table size */ ... #define PF_PKTDELAY_MAXPKTS 10000 /* max # of pkts held in delay queue */ > - the two entries for "table-entries" are confusing. it seems to be that > machines with less than a specific amount of memory have their entries > limited to the value of _SMALL. but the way it's documented makes that > unclear. i'm not sure whether the reader needs the names such as > PFSTATE_HIWAT. i think it's just confusing to list it this way. we > should probably have one item, table-entries, and say what the default > is normally, and what it is for lesser memory setups. /usr/src/sbin/pfctl.c: 1737 if (mem <= 100*1024*1024) 1738 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL; If the machine has less than 100MB physical memory, ..._SMALL is set for PF_LIMIT_TABLE_ENTRIES. > - i think the whole section should just be reduced to a simple list of > what can be set, and any default values. > > here's a stab at tidying up. i've inserted a couple of XXX for where i > came unstuck. > > thoughts? help? I appreciate where this is going. mbuhl > jmc > > Index: pf.conf.5 > =================================================================== > RCS file: /cvs/src/share/man/man5/pf.conf.5,v > retrieving revision 1.596 > diff -u -p -r1.596 pf.conf.5 > --- pf.conf.5 27 May 2022 15:45:02 -0000 1.596 > +++ pf.conf.5 21 Jul 2022 21:22:08 -0000 > @@ -1236,65 +1236,56 @@ See > .Xr pool 9 > for an explanation of memory pools. > .Pp > -For example, > -to set the maximum number of entries in the memory pool used by state table > -entries (generated by > +Limits can be set on the following: > +.Bl -tag -width pktdelay_pkts > +.It Cm states > +Set the maximum number of entries in the memory pool used by state table > +entries (those generated by > .Ic pass > rules which do not specify > -.Cm no state ) > -to 20000: > -.Pp > -.Dl set limit states 20000 > -.Pp > -To set the maximum number of entries in the memory pool used for fragment > -reassembly to 2000: > -.Pp > -.Dl set limit frags 2000 > -.Pp > -This maximum may not exceed, and should be well below, the maximum number > -of mbuf clusters > -.Pq sysctl kern.maxclusters > -in the system. > -.Pp > -To set the maximum number of entries in the memory pool used for tracking > +.Cm no state ) . > +The default is 100000. > +.It Cm src-nodes > +Set the maximum number of entries in the memory pool used for tracking > source IP addresses (generated by the > .Cm sticky-address > and > .Cm src.track > -options) to 2000: > -.Pp > -.Dl set limit src-nodes 2000 > -.Pp > -To set limits on the memory pools used by tables: > -.Bd -literal -offset indent > -set limit tables 1000 > -set limit table-entries 100000 > -.Ed > -.Pp > -The first limits the number of tables that can exist to 1000. > -The second limits the overall number of addresses that can be stored > -in tables to 100000. > -.Pp > -Various limits can be combined on a single line: > -.Bd -literal -offset indent > -set limit { states 20000, frags 2000, src-nodes 2000 } > -.Ed > -.Pp > -.Xr pf 4 > -has the following defaults: > -.Bl -column table-entries PFR_KENTRY_HIWAT_SMALL platform_dependent > -.It states Ta Dv PFSTATE_HIWAT Ta Pq 100000 > -.It tables Ta Dv PFR_KTABLE_HIWAT Ta Pq 1000 > -.It table-entries Ta Dv PFR_KENTRY_HIWAT Ta Pq 200000 > -.It table-entries Ta Dv PFR_KENTRY_HIWAT_SMALL Ta Pq 100000 > -.It frags Ta Dv NMBCLUSTERS Ns /32 Ta Pq platform dependent > -.El > -.Pp > +options). > +The default is > +.\" XXX > +.It Cm frags > +Set the maximum number of entries in the memory pool used for fragment > +reassembly. > +The maximum may not exceed, and should be well below, > +the maximum number of mbuf clusters > +.Pq sysctl kern.maxclusters > +in the system. > +The default is NMBCLUSTERS/32. > .Dv NMBCLUSTERS > defines the total number of packets which can exist in-system at any one > time. > Refer to > .In machine/param.h > for the platform-specific value. > +.It Cm tables > +Set the number of tables that can exist. > +The default is 1000. > +.It Cm table-entries > +Set the number of addresses that can be stored in tables. > +The default is 200000, or 100000 on machines with > +lower amounts of physical memory. > +.\" XXX how much memory triggers _SMALL? > +.It Cm pktdelay_pkts > +.\" XXX what is this? > +.It Cm anchors > +Set the number of anchors that can exist. > +The default is 512. > +.El > +.Pp > +Multiple limits can be combined on a single line: > +.Bd -literal -offset indent > +set limit { states 20000, frags 2000, src-nodes 2000 } > +.Ed > .It Ic set Cm loginterface Ar interface | Cm none > Enable collection of packet and byte count statistics for the given > interface or interface group. >