Hello,

On Wed, Nov 19, 2025 at 11:34:19AM +0000, Carsten Beckmann wrote:
> Hi,
> 
> I've noticed a few issues with pfctl that are caused by this change:
> 
> https://github.com/openbsd/src/commit/85baac77515140239632c5e733ba5c896915fadc
> 
> 'pfctl -F Reset' no longer resets limits back to their default because they are
> initialized with the currently active limit in pfctl_init_options now.
> 

    I agree the 'pfctl -F Reset' should set limits to defaults set at
    compile time. However the proposed change is not quite right.

    Consider scenario as follows:

	#
	# prepare ruleset that increases anchors limit
	# to 1024 and then loads 640 anchors to pf(4)
	#
	echo 'set limit anchors 1024' > anchors.conf
	for i in `seq 640` ; do echo "anchor \"test_$i\"" >> anchors.conf ; done

	#
	# prepare a ruleset with single rule, it does not
	# contain 'set limit...'
	#
	echo 'anchor "test_zero"' > one-anchor.conf

    Use pfctl(8) in current to load anchors.conf

	pfctl -f anchors.conf
	echo $?

    then load single anchor:

	pfctl -f one-anchor.conf
	echo $?

    both commands succeed. repeat the test with fixed pfctl

	./pfctl -f anchors.conf
	echo $?

	./pfctl -f one-anchor.conf
	echo $?

    loading one-anchor.conf fails with error:
	pfctl: Current pool size exceeds requested anchors limit 512

</snip>

looking at suggested change I think changes to pfctl_init_options()
should be reverted and the function should be left intact.

</snip>
> +	pf->limit[PF_LIMIT_FRAGS] = mcl / 4;
> +
> +	pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
> +	pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT;
> +	pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
> +	pf->limit[PF_LIMIT_PKTDELAY_PKTS] = PF_PKTDELAY_MAXPKTS;
> +	pf->limit[PF_LIMIT_ANCHORS] = PF_ANCHOR_HIWAT;
>  

the changes above should go to pfctl_reset() after the call to
pfctl_init_options() there. 

thanks and
regards
sashan