From: Alexandr Nedvedicky Subject: 'pfctl -fR' should attempt restore limits to compile-time defaults To: tech@openbsd.org Date: Sun, 30 Nov 2025 12:43:46 +0100 Hello, the issue has been pointed out by Carsten Beckmann here [1]. The earlier change: /* $OpenBSD: pfctl.c,v 1.396 2025/05/22 06:34:03 sashan Exp $ */ The current way to adjust pf(4) limits in pf.conf(5) is inconvenient. For example when ruleset uses more than 512 anchors (the current default limit) one would typically add 'set limit anchor 1024' to adjust the limit so the 'pf.conf(5)' gets processed. Unfortunately it does not work because limit gets changed with DIOCXCOMMIT which is too late. The pf.conf(5) fails to load the anchors to transaction, because the old lower limit is still in place. To fix it we must set the limit as soon as we parse 'set limit ...' option. prevents 'pfclt -fR' to attempt to restore limits set at compile time. before change in 1.336 landed the pfctl(8) did implicit reset of limits to compile time defaults whenever it was loading rules to main ruleset. the 1.336 makes pfctl(8) to keep current limits unless the ruleset sets new limit using 'set limit ...' expression. I think this is desired behaviour [2]. I think the missing piece here is to allow user explicitly set limits to compile time defaults using 'pfctl -fR'. The diff below does exactly that. thanks and regards sashan [1] https://marc.info/?t=176355149900001&r=1&w=2 [2] https://marc.info/?l=openbsd-tech&m=176391996128335&w=2 --------8<---------------8<---------------8<------------------8<-------- diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index be1b4bf497c..6c91d6395c0 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -2965,6 +2965,8 @@ pfctl_state_load(int dev, const char *file) void pfctl_reset(int dev, int opts) { + int mib[2], mcl; + size_t size; struct pfctl pf; struct pfr_buffer t; int i; @@ -2973,6 +2975,19 @@ pfctl_reset(int dev, int opts) pf.dev = dev; pfctl_init_options(&pf); + /* + * pfctl -fReset attempts to restore compile-time defaults, + * override the currently used limits we got from pfctl_init_options(). + */ + pf.limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; + pf.limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT; + pf.limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT; + pf.limit[PF_LIMIT_PKTDELAY_PKTS] = PF_PKTDELAY_MAXPKTS; + pf.limit[PF_LIMIT_ANCHORS] = PF_ANCHOR_HIWAT; + if (sysctl(mib, 2, &mcl, &size, NULL, 0) == -1) + err(1, "sysctl"); + pf.limit[PF_LIMIT_FRAGS] = mcl / 4; + /* Force reset upon pfctl_load_options() */ pf.debug_set = 1; pf.reass_set = 1;