On 2021-04-14 07:16, Peter Ankerstål wrote:
In pf I use the interface group syntax alot to make the configuration more
readable. All interfaces are assigned to a group representing its use/vlan
name.
For example:
ifconfig_igb1_102="172.22.0.1/24 group iot description 'iot vlan' up"
ifconfig_igb1_102_ipv6="inet6 2001:470:de59:22::1/64"
ifconfig_igb1_300="172.26.0.1/24 group mgmt description 'mgmt vlan’ up"
ifconfig_igb1_300_ipv6="inet6 2001:470:de59:26::1/64”
in pf.conf I use these group names all over the place. But since I upgraded
to
13.0-RELEASE it no longer works to define a table using the :network syntax
and
interface groups:
table <nat_addresses> const { trusted:network mgmt:network dmz:network
guest:network edmz:network \
admin:network iot:network client:network }
If I reload the configuration I get the following:
# pfctl -f /etc/pf.conf
/etc/pf.conf:12: cannot create address buffer: Invalid argument
pfctl: Syntax error in config file: pf rules not loaded
Some changes in the pf source have been made over the last couple
of months. The error returned appears to be related. It appears
that your running into a table size/count and memory allocation
related error. The first change moved/changed memory allocation to
kernel space, requiring one to increase allocation via loader.conf(5).
It was recently moved back to userspace allowing one to make changes
to a running system via sysctl.conf(5) or the commandline.
IOW if your on the recent change you should be able to simply
increase your table count by executing something like:
# echo "set limit table-entries <larger-table-count>" | pfctl -m -f -
OTOH if your stuck with the change in kernelspace, increase
net.pf.request_maxcount=
by some amount in loader.conf(5). If you are on the newer userspace
change, you can issue the sysctl(8) command at your terminal for
net.pf.request_maxcount=
as well.
HTH
--Chris
I have tried to use just one network, double check the interface group
setting and
so on, but with no luck.
to use actual interface works just fine:
table <nat_addresses> { igb1.300:network }
but using the group fails:
# ifconfig -g mgmt
igb1.300
table <nat_addresses> { mgmt:network }
# pfctl -f /etc/pf.conf
/etc/pf.conf:12: cannot create address buffer: Invalid argument
pfctl: Syntax error in config file: pf rules not loaded
Any ideas?
Thanks!
/Peter.
_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
