On Sat, Jul 23, 2022 at 02:16:16PM +0200, Moritz Buhl wrote:
> On Thu, Jul 21, 2022 at 10:25:09PM +0100, Jason McIntyre wrote:
> ...
> > it looks like the "set limit" text in pf.conf(5) might need some small
> > adjustments:
> >
> > - as well as the "anchors" limit, it does not document "pktdelay-pkts"
> >
> > - for entries where defaults are not documented, it is not clear whether
> > this is an omission or they are just not limited by default (in the
> > same way that things like table numbers are limited). those affected
> > seem to be src-nodes and pktdelay-pkts
>
> All of these limits have defaults that are sometimes set in the
> kernel or with the first pfctl invocation during boot:
>
> /usr/src/sbin/pfctl.c:
> 1726 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
> ...
> 1729 pf->limit[PF_LIMIT_PKTDELAY_PKTS] = PF_PKTDELAY_MAXPKTS;
>
> /usr/include/net/pfvar.h:
> #define PFSNODE_HIWAT 10000 /* default source node table
> size */
> ...
> #define PF_PKTDELAY_MAXPKTS 10000 /* max # of pkts held in delay
> queue */
>
>
> > - the two entries for "table-entries" are confusing. it seems to be that
> > machines with less than a specific amount of memory have their entries
> > limited to the value of _SMALL. but the way it's documented makes that
> > unclear. i'm not sure whether the reader needs the names such as
> > PFSTATE_HIWAT. i think it's just confusing to list it this way. we
> > should probably have one item, table-entries, and say what the default
> > is normally, and what it is for lesser memory setups.
>
> /usr/src/sbin/pfctl.c:
> 1737 if (mem <= 100*1024*1024)
> 1738 pf->limit[PF_LIMIT_TABLE_ENTRIES] =
> PFR_KENTRY_HIWAT_SMALL;
>
> If the machine has less than 100MB physical memory, ..._SMALL is set for
> PF_LIMIT_TABLE_ENTRIES.
>
thanks, i've managed to fill in the blanks with your help/ looking for
oks now.
jmc
Index: pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.596
diff -u -p -r1.596 pf.conf.5
--- pf.conf.5 27 May 2022 15:45:02 -0000 1.596
+++ pf.conf.5 23 Jul 2022 12:31:28 -0000
@@ -1236,65 +1236,55 @@ See
.Xr pool 9
for an explanation of memory pools.
.Pp
-For example,
-to set the maximum number of entries in the memory pool used by state table
-entries (generated by
+Limits can be set on the following:
+.Bl -tag -width pktdelay_pkts
+.It Cm states
+Set the maximum number of entries in the memory pool used by state table
+entries (those generated by
.Ic pass
rules which do not specify
-.Cm no state )
-to 20000:
-.Pp
-.Dl set limit states 20000
-.Pp
-To set the maximum number of entries in the memory pool used for fragment
-reassembly to 2000:
-.Pp
-.Dl set limit frags 2000
-.Pp
-This maximum may not exceed, and should be well below, the maximum number
-of mbuf clusters
-.Pq sysctl kern.maxclusters
-in the system.
-.Pp
-To set the maximum number of entries in the memory pool used for tracking
+.Cm no state ) .
+The default is 100000.
+.It Cm src-nodes
+Set the maximum number of entries in the memory pool used for tracking
source IP addresses (generated by the
.Cm sticky-address
and
.Cm src.track
-options) to 2000:
-.Pp
-.Dl set limit src-nodes 2000
-.Pp
-To set limits on the memory pools used by tables:
-.Bd -literal -offset indent
-set limit tables 1000
-set limit table-entries 100000
-.Ed
-.Pp
-The first limits the number of tables that can exist to 1000.
-The second limits the overall number of addresses that can be stored
-in tables to 100000.
-.Pp
-Various limits can be combined on a single line:
-.Bd -literal -offset indent
-set limit { states 20000, frags 2000, src-nodes 2000 }
-.Ed
-.Pp
-.Xr pf 4
-has the following defaults:
-.Bl -column table-entries PFR_KENTRY_HIWAT_SMALL platform_dependent
-.It states Ta Dv PFSTATE_HIWAT Ta Pq 100000
-.It tables Ta Dv PFR_KTABLE_HIWAT Ta Pq 1000
-.It table-entries Ta Dv PFR_KENTRY_HIWAT Ta Pq 200000
-.It table-entries Ta Dv PFR_KENTRY_HIWAT_SMALL Ta Pq 100000
-.It frags Ta Dv NMBCLUSTERS Ns /32 Ta Pq platform dependent
-.El
-.Pp
+options).
+The default is 10000.
+.It Cm frags
+Set the maximum number of entries in the memory pool used for fragment
+reassembly.
+The maximum may not exceed, and should be well below,
+the maximum number of mbuf clusters
+.Pq sysctl kern.maxclusters
+in the system.
+The default is NMBCLUSTERS/32.
.Dv NMBCLUSTERS
defines the total number of packets which can exist in-system at any one time.
Refer to
.In machine/param.h
for the platform-specific value.
+.It Cm tables
+Set the number of tables that can exist.
+The default is 1000.
+.It Cm table-entries
+Set the number of addresses that can be stored in tables.
+The default is 200000, or 100000 on machines with
+less than 100MB of physical memory.
+.It Cm pktdelay_pkts
+Set the maximum number of packets that can be held in the delay queue.
+The default is 10000.
+.It Cm anchors
+Set the number of anchors that can exist.
+The default is 512.
+.El
+.Pp
+Multiple limits can be combined on a single line:
+.Bd -literal -offset indent
+set limit { states 20000, frags 2000, src-nodes 2000 }
+.Ed
.It Ic set Cm loginterface Ar interface | Cm none
Enable collection of packet and byte count statistics for the given
interface or interface group.
