From 4fbb390c4ba2d4a12158b5e2edef87cf147cea4c Mon Sep 17 00:00:00 2001 From: jmc Date: Sun, 24 Jul 2022 12:22:12 +0000 Subject: [PATCH] document limit-item "anchors"; from martin vahlensieck while here, rework the "set limit" section: - use a simple list - add some missing defaults and limit-item mbuhl helped fill in some of the blanks ok kn --- share/man/man5/pf.conf.5 | 90 ++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 50 deletions(-) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 1c0c9a07bf5..3e5a17acb95 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.596 2022/05/27 15:45:02 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.597 2022/07/24 12:22:12 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 27 2022 $ +.Dd $Mdocdate: July 24 2022 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -1236,65 +1236,55 @@ See .Xr pool 9 for an explanation of memory pools. .Pp -For example, -to set the maximum number of entries in the memory pool used by state table -entries (generated by +Limits can be set on the following: +.Bl -tag -width pktdelay_pkts +.It Cm states +Set the maximum number of entries in the memory pool used by state table +entries (those generated by .Ic pass rules which do not specify -.Cm no state ) -to 20000: -.Pp -.Dl set limit states 20000 -.Pp -To set the maximum number of entries in the memory pool used for fragment -reassembly to 2000: -.Pp -.Dl set limit frags 2000 -.Pp -This maximum may not exceed, and should be well below, the maximum number -of mbuf clusters -.Pq sysctl kern.maxclusters -in the system. -.Pp -To set the maximum number of entries in the memory pool used for tracking +.Cm no state ) . +The default is 100000. +.It Cm src-nodes +Set the maximum number of entries in the memory pool used for tracking source IP addresses (generated by the .Cm sticky-address and .Cm src.track -options) to 2000: -.Pp -.Dl set limit src-nodes 2000 -.Pp -To set limits on the memory pools used by tables: -.Bd -literal -offset indent -set limit tables 1000 -set limit table-entries 100000 -.Ed -.Pp -The first limits the number of tables that can exist to 1000. -The second limits the overall number of addresses that can be stored -in tables to 100000. -.Pp -Various limits can be combined on a single line: -.Bd -literal -offset indent -set limit { states 20000, frags 2000, src-nodes 2000 } -.Ed -.Pp -.Xr pf 4 -has the following defaults: -.Bl -column table-entries PFR_KENTRY_HIWAT_SMALL platform_dependent -.It states Ta Dv PFSTATE_HIWAT Ta Pq 100000 -.It tables Ta Dv PFR_KTABLE_HIWAT Ta Pq 1000 -.It table-entries Ta Dv PFR_KENTRY_HIWAT Ta Pq 200000 -.It table-entries Ta Dv PFR_KENTRY_HIWAT_SMALL Ta Pq 100000 -.It frags Ta Dv NMBCLUSTERS Ns /32 Ta Pq platform dependent -.El -.Pp +options). +The default is 10000. +.It Cm frags +Set the maximum number of entries in the memory pool used for fragment +reassembly. +The maximum may not exceed, and should be well below, +the maximum number of mbuf clusters +.Pq sysctl kern.maxclusters +in the system. +The default is NMBCLUSTERS/32. .Dv NMBCLUSTERS defines the total number of packets which can exist in-system at any one time. Refer to .In machine/param.h for the platform-specific value. +.It Cm tables +Set the number of tables that can exist. +The default is 1000. +.It Cm table-entries +Set the number of addresses that can be stored in tables. +The default is 200000, or 100000 on machines with +less than 100MB of physical memory. +.It Cm pktdelay_pkts +Set the maximum number of packets that can be held in the delay queue. +The default is 10000. +.It Cm anchors +Set the number of anchors that can exist. +The default is 512. +.El +.Pp +Multiple limits can be combined on a single line: +.Bd -literal -offset indent +set limit { states 20000, frags 2000, src-nodes 2000 } +.Ed .It Ic set Cm loginterface Ar interface | Cm none Enable collection of packet and byte count statistics for the given interface or interface group. -- 2.20.1