freebsd stable - Apr 2021 - using interface groups in pf tables stopped working in 13.0-RELEASE

const { trusted:network mgmt:network dmz:network
>> guest:network edmz:network \
>>        admin:network iot:network client:network }
>> If I reload the configuration I get the following:
>> # pfctl -f /etc/pf.conf
>> /etc/pf.conf:12: cannot create address buffer: Invalid argument
>> pfctl: Syntax error in config file: pf rules not loaded
> Some changes in the pf source have been made over the last couple
> of months. The error returned appears to be related. It appears
> that your running into a table size/count and memory allocation
> related error. The first change moved/changed memory allocation to
> kernel space, requiring one to increase allocation via loader.conf(5).
> It was recently moved back to userspace allowing one to make changes
> to a running system via sysctl.conf(5) or the commandline.
> IOW if your on the recent change you should be able to simply
> increase your table count by executing something like:
> # echo "set limit table-entries <larger-table-count>" |
pfctl -m -f -
> OTOH if your stuck with the change in kernelspace, increase
> net.pf.request_maxcount> by some amount in loader.conf(5). If you are on
the newer userspace
> change, you can issue the sysctl(8) command at your terminal for
> net.pf.request_maxcount> as well.
I dont think so. Everything works normally if I switch from group name to
interface name
in the config. 

It seems to me that pf for some reason changed how it interprets group names
differently from
12.2-RELEASE-p4 and 13.0-RELEASE. 

I dont really get how "anchor in from trusted:network? can resolve to
"anchor in inet6 all?

/Peter.

On 2021-04-14 10:44, Peter Ankerst?l wrote:
> const { trusted:network mgmt:network dmz:network
>>> guest:network edmz:network \
>>>        admin:network iot:network client:network }
>>> If I reload the configuration I get the following:
>>> # pfctl -f /etc/pf.conf
>>> /etc/pf.conf:12: cannot create address buffer: Invalid argument
>>> pfctl: Syntax error in config file: pf rules not loaded
>> Some changes in the pf source have been made over the last couple
>> of months. The error returned appears to be related. It appears
>> that your running into a table size/count and memory allocation
>> related error. The first change moved/changed memory allocation to
>> kernel space, requiring one to increase allocation via loader.conf(5).
>> It was recently moved back to userspace allowing one to make changes
>> to a running system via sysctl.conf(5) or the commandline.
>> IOW if your on the recent change you should be able to simply
>> increase your table count by executing something like:
>> # echo "set limit table-entries <larger-table-count>" |
pfctl -m -f -
>> OTOH if your stuck with the change in kernelspace, increase
>> net.pf.request_maxcount>> by some amount in loader.conf(5). If
you are on the newer userspace
>> change, you can issue the sysctl(8) command at your terminal for
>> net.pf.request_maxcount>> as well.
> 
> I dont think so. Everything works normally if I switch from group name to 
> interface name
> in the config.
Sure. I only mentioned it because 1) the error you received looked almost 
exactly
the same as the one I encountered after the (pf source) changes, 2) alot of 
work
has been done recently (as I mentioned above). :-)
I'll defer to kp@ (Kristof Provost) for more insightful possibilities. As 
he's done
most all the recent work. :-)

--Chris
> 
> It seems to me that pf for some reason changed how it interprets group
names
> differently from
> 12.2-RELEASE-p4 and 13.0-RELEASE.
> 
> I dont really get how "anchor in from trusted:network? can resolve to 
> "anchor in inet6 all?
> 
> /Peter.
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at
freebsd.org"