CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	kp <kp@FreeBSD.org>
	Mon, 11 Feb 2019 19:08:03 +0000 (19:08 +0000)
committer	kp <kp@FreeBSD.org>
	Mon, 11 Feb 2019 19:08:03 +0000 (19:08 +0000)
commit	818d46d463297cf17aaf1cabdf83efd877994b60
tree	b510fe7f5b5d0165c5041f2874cbcadd02a5b4b8	tree \| snapshot
parent	dcc944785e97d7fef281f74ec06b1b025acecaea	commit \| diff

MFC r343520:

pfctl: Point users to net.pf.request_maxcount if large requests are rejected

The kernel will reject very large tables to avoid resource exhaustion
attacks. Some users run into this limit with legitimate table
configurations.

The error message in this case was not very clear:

  pf.conf:1: cannot define table nets: Invalid argument
  pfctl: Syntax error in config file: pf rules not loaded

If a table definition fails we now check the request_maxcount sysctl,
and if we've tried to create more than that point the user at
net.pf.request_maxcount:

  pf.conf:1: cannot define table nets: too many elements.
  Consider increasing net.pf.request_maxcount.
  pfctl: Syntax error in config file: pf rules not loaded

PR: 235076