Discussion:
NPF ruleset limit in -7?
(too old to reply)
Stephen Borrill
2018-10-15 15:55:15 UTC
Permalink
I seem to recall a limit on loading rulesets with NPF at some time in the
past. I ask because of:

# egrep "^[[:space:]]*(pass|block)" /etc/npf.conf | wc -l
127
# npfctl reload
npfctl: npfctl_config_send: Invalid argument
# npfctl validate > /dev/null
# echo $?
0
# ls -l /etc/npf.conf
-rw-r--r-- 1 root wheel 17684 Oct 15 16:40 /etc/npf.conf

Doing some trimming:

# egrep "^[[:space:]]*(pass|block)" /etc/npf.conf | wc -l
101
# npfctl reload
#

Adding 1 extra innocuous line like "pass in from 10.0.0.0/16 to any port
5298":

# egrep "^[[:space:]]*(pass|block)" /etc/npf.conf | wc -l
102
# npfctl reload
npfctl: npfctl_config_send: Invalid argument

This is on:
NetBSD netmanager 7.1_STABLE NetBSD 7.1_STABLE (NETMANRAID) #37: Thu Feb
1 09:02:09 GMT 2018
--
Stephen


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Hauke Fath
2018-10-16 10:40:41 UTC
Permalink
Post by Stephen Borrill
I seem to recall a limit on loading rulesets with NPF at some time in
the past. [...]
In all releases, that is; -the underlying library with its limitations
in dictionary size has apparently been replaced for npf in -current.

I applied the following patch

/<2>netbsd-8/src > cvs diff sys/net/npf/npf_ctl.c
Index: sys/net/npf/npf_ctl.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_ctl.c,v
retrieving revision 1.48.2.1
diff -u -r1.48.2.1 npf_ctl.c
--- sys/net/npf/npf_ctl.c 17 Nov 2017 20:43:11 -0000 1.48.2.1
+++ sys/net/npf/npf_ctl.c 16 Oct 2018 10:37:08 -0000
@@ -522,8 +522,9 @@
else
#endif
{
+ /* XXX This size limit should really be a constant */
error = prop_dictionary_copyin_ioctl_size(pref, cmd,
&npf_dict,
- 4 * 1024 * 1024);
+ 16 * 1024 * 1024);
if (error)
return error;
}

when I still had hopes in npf...

Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Stephen Borrill
2018-10-30 11:35:19 UTC
Permalink
Post by Stephen Borrill
I seem to recall a limit on loading rulesets with NPF at some time in the
past. [...]
In all releases, that is; -the underlying library with its limitations in
dictionary size has apparently been replaced for npf in -current.
I applied the following patch
/<2>netbsd-8/src > cvs diff sys/net/npf/npf_ctl.c
Index: sys/net/npf/npf_ctl.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_ctl.c,v
retrieving revision 1.48.2.1
diff -u -r1.48.2.1 npf_ctl.c
--- sys/net/npf/npf_ctl.c 17 Nov 2017 20:43:11 -0000 1.48.2.1
+++ sys/net/npf/npf_ctl.c 16 Oct 2018 10:37:08 -0000
@@ -522,8 +522,9 @@
else
#endif
{
+ /* XXX This size limit should really be a constant */
error = prop_dictionary_copyin_ioctl_size(pref, cmd,
&npf_dict,
- 4 * 1024 * 1024);
+ 16 * 1024 * 1024);
if (error)
return error;
}
The whole sized ioctls shebang is missing in -7, so the limit is something
tiny like 64kB as opposed to 4MB. Hence npf is unusable except for the
most trivial ruleset on -7 and earlier.

Pullups have been submitted (and tested) and so the 4MB limit should make
its way to -7 very soon.
when I still had hopes in npf...
Well, yeah, the ruleset limit makes you wonder how much real-world testing
it's had.
--
Stephen


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...