From: Alexandr Nedvedicky <sashan@fastmail.net>
Subject: Re: Error when at startup more than 512 anchors are loaded from pf.conf
To: Rafa?? Ramocki <rafal.ramocki@eo.pl>
Cc: tech <tech@openbsd.org>
Date: Tue, 6 May 2025 06:58:13 +0200

Hello,


On Mon, May 05, 2025 at 03:28:39PM +0200, Rafa?? Ramocki wrote:
> Hello,
> 
> In this order, with your diff it will get loaded. But if you will have:
> 
> ----8<-------8<-------8<-------8<-----------8<----
> set limit states 700000
> set limit src-nodes 500000
> set limit tables 2000
> set limit anchors 2000
> 
> anchor test_0
> anchor test_1
> anchor test_2
> ----8<-------8<-------8<-------8<-----------8<----
> 

It looks like it works for me. This is the pf.conf I'm using
to test it:

----8<-------8<-------8<-------8<-----------8<----
set limit states 700000
set limit src-nodes 500000
set limit tables 2000
set limit anchors 2048

anchor "test_1"
anchor "test_2"
anchor "test_3"
anchor "test_4"
anchor "test_5"
...
anchor "test_1024"
----8<-------8<-------8<-------8<-----------8<----

the pf is enabled:

    src# pfctl -si |grep Enabled
    Status: Enabled for 0 days 00:06:38              Debug: err

it runs with default limits after boot:

    src# pfctl -sm
    states        hard limit   100000
    src-nodes     hard limit    10000
    frags         hard limit    65536
    tables        hard limit     1000
    table-entries hard limit   200000
    pktdelay-pkts hard limit    10000
    anchors       hard limit      512

loading the file above I'm seeing it works:

    src# pfctl -f pf-anchors.conf
    src# pfctl -sm
    states        hard limit   700000
    src-nodes     hard limit   500000
    frags         hard limit    65536
    tables        hard limit     2000
    table-entries hard limit   200000
    pktdelay-pkts hard limit    10000
    anchors       hard limit     2048

> you will have three errors for three limits set before anchors.

    sorry if question sounds dumb: are you using the right kernel
    with matching pfctl tool? (I need to try it myself to see if
    it might be case or not)

</snip>
> error = qif->pfqops->pfq_addqueue(qif->disc, q);
> 
> It looks like it is verry low level error.
> 
> I also found out that this strange state is triggered when rules are loaded
> but there were no commit triggered. I the configuration I have verry few queues.
> Only three actualy.
> 
> queue dl_XXXXX_limit on $if_XXXXX_ipsec bandwidth "120Mb"
> queue XXXXX_limit parent dl_XXXXX_limit bandwidth "50Mb"
> queue dl_XXXXXX_limit_default parent dl_XXXXX_limit bandwidth "40Mb" default
> 
> pass in quick on $if_XXXXX_ipsec proto tcp from { X.X.X.X Y.Y.Y.Y } to Z.Z.Z.Z port { AAAA } rdr-to X.X.X.X port AAAA queue XXXXX_limit

    I keep forgetting about queues. thank you for narrowing it down.
    I will try to reproduce it and see what I can figure out.

thanks and
regards
sashan