-.\" $OpenBSD: pf.conf.5,v 1.596 2022/05/27 15:45:02 jmc Exp $
+.\" $OpenBSD: pf.conf.5,v 1.597 2022/07/24 12:22:12 jmc Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org>
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 27 2022 $
+.Dd $Mdocdate: July 24 2022 $
.Dt PF.CONF 5
.Os
.Sh NAME
.Xr pool 9
for an explanation of memory pools.
.Pp
-For example,
-to set the maximum number of entries in the memory pool used by state table
-entries (generated by
+Limits can be set on the following:
+.Bl -tag -width pktdelay_pkts
+.It Cm states
+Set the maximum number of entries in the memory pool used by state table
+entries (those generated by
.Ic pass
rules which do not specify
-.Cm no state )
-to 20000:
-.Pp
-.Dl set limit states 20000
-.Pp
-To set the maximum number of entries in the memory pool used for fragment
-reassembly to 2000:
-.Pp
-.Dl set limit frags 2000
-.Pp
-This maximum may not exceed, and should be well below, the maximum number
-of mbuf clusters
-.Pq sysctl kern.maxclusters
-in the system.
-.Pp
-To set the maximum number of entries in the memory pool used for tracking
+.Cm no state ) .
+The default is 100000.
+.It Cm src-nodes
+Set the maximum number of entries in the memory pool used for tracking
source IP addresses (generated by the
.Cm sticky-address
and
.Cm src.track
-options) to 2000:
-.Pp
-.Dl set limit src-nodes 2000
-.Pp
-To set limits on the memory pools used by tables:
-.Bd -literal -offset indent
-set limit tables 1000
-set limit table-entries 100000
-.Ed
-.Pp
-The first limits the number of tables that can exist to 1000.
-The second limits the overall number of addresses that can be stored
-in tables to 100000.
-.Pp
-Various limits can be combined on a single line:
-.Bd -literal -offset indent
-set limit { states 20000, frags 2000, src-nodes 2000 }
-.Ed
-.Pp
-.Xr pf 4
-has the following defaults:
-.Bl -column table-entries PFR_KENTRY_HIWAT_SMALL platform_dependent
-.It states Ta Dv PFSTATE_HIWAT Ta Pq 100000
-.It tables Ta Dv PFR_KTABLE_HIWAT Ta Pq 1000
-.It table-entries Ta Dv PFR_KENTRY_HIWAT Ta Pq 200000
-.It table-entries Ta Dv PFR_KENTRY_HIWAT_SMALL Ta Pq 100000
-.It frags Ta Dv NMBCLUSTERS Ns /32 Ta Pq platform dependent
-.El
-.Pp
+options).
+The default is 10000.
+.It Cm frags
+Set the maximum number of entries in the memory pool used for fragment
+reassembly.
+The maximum may not exceed, and should be well below,
+the maximum number of mbuf clusters
+.Pq sysctl kern.maxclusters
+in the system.
+The default is NMBCLUSTERS/32.
.Dv NMBCLUSTERS
defines the total number of packets which can exist in-system at any one time.
Refer to
.In machine/param.h
for the platform-specific value.
+.It Cm tables
+Set the number of tables that can exist.
+The default is 1000.
+.It Cm table-entries
+Set the number of addresses that can be stored in tables.
+The default is 200000, or 100000 on machines with
+less than 100MB of physical memory.
+.It Cm pktdelay_pkts
+Set the maximum number of packets that can be held in the delay queue.
+The default is 10000.
+.It Cm anchors
+Set the number of anchors that can exist.
+The default is 512.
+.El
+.Pp
+Multiple limits can be combined on a single line:
+.Bd -literal -offset indent
+set limit { states 20000, frags 2000, src-nodes 2000 }
+.Ed
.It Ic set Cm loginterface Ar interface | Cm none
Enable collection of packet and byte count statistics for the given
interface or interface group.
projects / openbsd / commitdiff