Index | Thread | Search

From:
Alexandr Nedvedicky <sashan@fastmail.net>
Subject:
'pfctl -fR' should attempt restore limits to compile-time defaults
To:
tech@openbsd.org
Date:
Sun, 30 Nov 2025 12:43:46 +0100

Download raw body.

Thread

  • Alexandr Nedvedicky:

    'pfctl -fR' should attempt restore limits to compile-time defaults

Hello,

the issue has been pointed out by Carsten Beckmann here [1].
The earlier change:

    /*	$OpenBSD: pfctl.c,v 1.396 2025/05/22 06:34:03 sashan Exp $ */

    The current way to adjust pf(4) limits in pf.conf(5) is inconvenient.
    For example when ruleset uses more than 512 anchors (the current default
    limit) one would typically add 'set limit anchor 1024' to adjust
    the limit so the 'pf.conf(5)' gets processed. Unfortunately it
    does not work because limit gets changed with DIOCXCOMMIT which
    is too late. The pf.conf(5) fails to load the anchors to transaction,
    because the old lower limit is still in place. To fix it we must
    set the limit as soon as we parse 'set limit ...' option.

prevents 'pfclt -fR' to attempt to restore limits set at compile time.

before change in 1.336 landed the pfctl(8) did implicit reset of limits to
compile time defaults whenever it was loading rules to main ruleset.

the 1.336 makes pfctl(8) to keep current limits unless the ruleset sets
new limit using 'set limit ...' expression. I think this is desired
behaviour [2]. I think the missing piece here is to allow user explicitly
set limits to compile time defaults using 'pfctl -fR'. The diff below
does exactly that.

thanks and
regards
sashan

[1] https://marc.info/?t=176355149900001&r=1&w=2

[2] https://marc.info/?l=openbsd-tech&m=176391996128335&w=2

--------8<---------------8<---------------8<------------------8<--------
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index be1b4bf497c..6c91d6395c0 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2965,6 +2965,8 @@ pfctl_state_load(int dev, const char *file)
 void
 pfctl_reset(int dev, int opts)
 {
+	int mib[2], mcl;
+	size_t size;
 	struct pfctl	pf;
 	struct pfr_buffer t;
 	int		i;
@@ -2973,6 +2975,19 @@ pfctl_reset(int dev, int opts)
 	pf.dev = dev;
 	pfctl_init_options(&pf);
 
+	/*
+	 * pfctl -fReset attempts to restore compile-time defaults,
+	 * override the currently used limits we got from pfctl_init_options().
+	 */
+	pf.limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
+	pf.limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT;
+	pf.limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
+	pf.limit[PF_LIMIT_PKTDELAY_PKTS] = PF_PKTDELAY_MAXPKTS;
+	pf.limit[PF_LIMIT_ANCHORS] = PF_ANCHOR_HIWAT;
+	if (sysctl(mib, 2, &mcl, &size, NULL, 0) == -1)
+		err(1, "sysctl");
+	pf.limit[PF_LIMIT_FRAGS] = mcl / 4;
+
 	/* Force reset upon pfctl_load_options() */
 	pf.debug_set = 1;
 	pf.reass_set = 1;