From: Alexandr Nedvedicky Subject: Re: pfctl: fix resetting limits To: Carsten Beckmann Cc: "tech@openbsd.org" Date: Sun, 23 Nov 2025 18:57:09 +0100 Hello, On Wed, Nov 19, 2025 at 11:34:19AM +0000, Carsten Beckmann wrote: > Hi, > > I've noticed a few issues with pfctl that are caused by this change: > > https://github.com/openbsd/src/commit/85baac77515140239632c5e733ba5c896915fadc > > 'pfctl -F Reset' no longer resets limits back to their default because they are > initialized with the currently active limit in pfctl_init_options now. > I agree the 'pfctl -F Reset' should set limits to defaults set at compile time. However the proposed change is not quite right. Consider scenario as follows: # # prepare ruleset that increases anchors limit # to 1024 and then loads 640 anchors to pf(4) # echo 'set limit anchors 1024' > anchors.conf for i in `seq 640` ; do echo "anchor \"test_$i\"" >> anchors.conf ; done # # prepare a ruleset with single rule, it does not # contain 'set limit...' # echo 'anchor "test_zero"' > one-anchor.conf Use pfctl(8) in current to load anchors.conf pfctl -f anchors.conf echo $? then load single anchor: pfctl -f one-anchor.conf echo $? both commands succeed. repeat the test with fixed pfctl ./pfctl -f anchors.conf echo $? ./pfctl -f one-anchor.conf echo $? loading one-anchor.conf fails with error: pfctl: Current pool size exceeds requested anchors limit 512 looking at suggested change I think changes to pfctl_init_options() should be reverted and the function should be left intact. > + pf->limit[PF_LIMIT_FRAGS] = mcl / 4; > + > + pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; > + pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT; > + pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT; > + pf->limit[PF_LIMIT_PKTDELAY_PKTS] = PF_PKTDELAY_MAXPKTS; > + pf->limit[PF_LIMIT_ANCHORS] = PF_ANCHOR_HIWAT; > the changes above should go to pfctl_reset() after the call to pfctl_init_options() there. thanks and regards sashan