On Thu, Jul 21, 2022 at 07:07:57PM +0200, Martin Vahlensieck wrote:
> Hi
>
> This is a diff to document the new anchors limit in pf.conf(5). I
> inserted it as second-to-last item, as the following paragraph talks
> about NMBCLUSTERS. While here: Is the double entry for table-entries
> intentional?
>
> Best,
>
> Martin
>
> Index: pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.596
> diff -u -p -r1.596 pf.conf.5
> --- pf.conf.5 27 May 2022 15:45:02 -0000 1.596
> +++ pf.conf.5 21 Jul 2022 17:00:53 -0000
> @@ -1287,6 +1287,7 @@ has the following defaults:
> .It tables Ta Dv PFR_KTABLE_HIWAT Ta Pq 1000
> .It table-entries Ta Dv PFR_KENTRY_HIWAT Ta Pq 200000
> .It table-entries Ta Dv PFR_KENTRY_HIWAT_SMALL Ta Pq 100000
> +.It anchors Ta Dv PF_ANCHOR_HIWAT Ta Pq 512
> .It frags Ta Dv NMBCLUSTERS Ns /32 Ta Pq platform dependent
> .El
> .Pp
>
it looks like the "set limit" text in pf.conf(5) might need some small
adjustments:
- as well as the "anchors" limit, it does not document "pktdelay-pkts"
- for entries where defaults are not documented, it is not clear whether
this is an omission or they are just not limited by default (in the
same way that things like table numbers are limited). those affected
seem to be src-nodes and pktdelay-pkts
- the two entries for "table-entries" are confusing. it seems to be that
machines with less than a specific amount of memory have their entries
limited to the value of _SMALL. but the way it's documented makes that
unclear. i'm not sure whether the reader needs the names such as
PFSTATE_HIWAT. i think it's just confusing to list it this way. we
should probably have one item, table-entries, and say what the default
is normally, and what it is for lesser memory setups.
- i think the whole section should just be reduced to a simple list of
what can be set, and any default values.
here's a stab at tidying up. i've inserted a couple of XXX for where i
came unstuck.
thoughts? help?
jmc
Index: pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.596
diff -u -p -r1.596 pf.conf.5
--- pf.conf.5 27 May 2022 15:45:02 -0000 1.596
+++ pf.conf.5 21 Jul 2022 21:22:08 -0000
@@ -1236,65 +1236,56 @@ See
.Xr pool 9
for an explanation of memory pools.
.Pp
-For example,
-to set the maximum number of entries in the memory pool used by state table
-entries (generated by
+Limits can be set on the following:
+.Bl -tag -width pktdelay_pkts
+.It Cm states
+Set the maximum number of entries in the memory pool used by state table
+entries (those generated by
.Ic pass
rules which do not specify
-.Cm no state )
-to 20000:
-.Pp
-.Dl set limit states 20000
-.Pp
-To set the maximum number of entries in the memory pool used for fragment
-reassembly to 2000:
-.Pp
-.Dl set limit frags 2000
-.Pp
-This maximum may not exceed, and should be well below, the maximum number
-of mbuf clusters
-.Pq sysctl kern.maxclusters
-in the system.
-.Pp
-To set the maximum number of entries in the memory pool used for tracking
+.Cm no state ) .
+The default is 100000.
+.It Cm src-nodes
+Set the maximum number of entries in the memory pool used for tracking
source IP addresses (generated by the
.Cm sticky-address
and
.Cm src.track
-options) to 2000:
-.Pp
-.Dl set limit src-nodes 2000
-.Pp
-To set limits on the memory pools used by tables:
-.Bd -literal -offset indent
-set limit tables 1000
-set limit table-entries 100000
-.Ed
-.Pp
-The first limits the number of tables that can exist to 1000.
-The second limits the overall number of addresses that can be stored
-in tables to 100000.
-.Pp
-Various limits can be combined on a single line:
-.Bd -literal -offset indent
-set limit { states 20000, frags 2000, src-nodes 2000 }
-.Ed
-.Pp
-.Xr pf 4
-has the following defaults:
-.Bl -column table-entries PFR_KENTRY_HIWAT_SMALL platform_dependent
-.It states Ta Dv PFSTATE_HIWAT Ta Pq 100000
-.It tables Ta Dv PFR_KTABLE_HIWAT Ta Pq 1000
-.It table-entries Ta Dv PFR_KENTRY_HIWAT Ta Pq 200000
-.It table-entries Ta Dv PFR_KENTRY_HIWAT_SMALL Ta Pq 100000
-.It frags Ta Dv NMBCLUSTERS Ns /32 Ta Pq platform dependent
-.El
-.Pp
+options).
+The default is
+.\" XXX
+.It Cm frags
+Set the maximum number of entries in the memory pool used for fragment
+reassembly.
+The maximum may not exceed, and should be well below,
+the maximum number of mbuf clusters
+.Pq sysctl kern.maxclusters
+in the system.
+The default is NMBCLUSTERS/32.
.Dv NMBCLUSTERS
defines the total number of packets which can exist in-system at any one time.
Refer to
.In machine/param.h
for the platform-specific value.
+.It Cm tables
+Set the number of tables that can exist.
+The default is 1000.
+.It Cm table-entries
+Set the number of addresses that can be stored in tables.
+The default is 200000, or 100000 on machines with
+lower amounts of physical memory.
+.\" XXX how much memory triggers _SMALL?
+.It Cm pktdelay_pkts
+.\" XXX what is this?
+.It Cm anchors
+Set the number of anchors that can exist.
+The default is 512.
+.El
+.Pp
+Multiple limits can be combined on a single line:
+.Bd -literal -offset indent
+set limit { states 20000, frags 2000, src-nodes 2000 }
+.Ed
.It Ic set Cm loginterface Ar interface | Cm none
Enable collection of packet and byte count statistics for the given
interface or interface group.
