On 22 May 2025 16:34:03 GMT+10:00, Alexandr Nedvedicky <sas...@cvs.openbsd.org>
wrote:
>CVSROOT: /cvs
>Module name: src
>Changes by: sas...@cvs.openbsd.org 2025/05/22 00:34:03
>
>Modified files:
> sbin/pfctl : pfctl.c
> sys/net : pf_ioctl.c
>
>Log message:
>The current way to adjust pf(4) limits in pf.conf(5) is inconvenient.
>For example when ruleset uses more than 512 anchors (the current default
>limit) one would typically add 'set limit anchor 1024' to adjust
>the limit so the 'pf.conf(5)' gets processed. Unfortunately it
>does not work because limit gets changed with DIOCXCOMMIT which
>is too late. The pf.conf(5) fails to load the anchors to transaction,
>because the old lower limit is still in place. To fix it we must
>set the limit as soon as we parse 'set limit ...' option.
>
>The issue has been reported and fix tested by rafal _dot_ ramocki _von_ eo.pl
>
>OK @bluhm
>
