Date: Mon, 23 Aug 2010 11:16:48 -0400 From: Dan Pritts <danno@umich.edu> To: Earl Lapus <earl.lapus@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf state options Message-ID: <20100823151647.GD10713@maniac.deathstar.org> In-Reply-To: <AANLkTinm-K68L64-j48sgUYwft%2BAU52njEeBAtHSxqS_@mail.gmail.com> References: <AANLkTinm-K68L64-j48sgUYwft%2BAU52njEeBAtHSxqS_@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
i don't know the answer to your question, but can tell you that there appears to be a bug in "set limit" parsing. it probably won't affect you on states, but just in case, here goes: If i put this in a pf.conf: set limit table-entries 500000 and then try to load a table with more than the default number of entries, it pukes. If i instead make a special /etc/pf.set (name not significant) with just the set limit command, and then do this: /sbin/pfctl -f /etc/pf.set; /sbin/pfctl -f /etc/pf.conf it works as i'd want. I assume this is because the tables are loaded before the limits are raised. oops. On Mon, Aug 23, 2010 at 01:08:50PM +0800, Earl Lapus wrote: > Hi, > > I've setup the following rules in pf.conf > --- > set limit states 20000 > pass in from 192.168.56.100 to any keep state (max 30000) > --- > > It loads perfectly fine. However, if you noticed, the max states value > in the rule (30000) is greater than the hard limit (20000). > So my question is: what is the distinction between the states count > specified in `set limit states (n)` with the `max (n)` specified in a > rule? Are they at all related? > > Cheers! > > -- > There are seven words in this sentence. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" danno -- dan pritts danno@umich.edu 734-929-9770
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100823151647.GD10713>