Author: kp Date: Sat Dec 14 02:03:47 2019 New Revision: 355743 URL: https://svnweb.freebsd.org/changeset/base/355743
Log: pfctl: Warn users when they run into kernel limits Warn users when they try to add/delete/modify more items than the kernel will allow. Reviewed by: allanjude (previous version), Lutz Donnerhacke Differential Revision: https://reviews.freebsd.org/D22733 Modified: head/sbin/pfctl/pfctl_radix.c Modified: head/sbin/pfctl/pfctl_radix.c ============================================================================== --- head/sbin/pfctl/pfctl_radix.c Sat Dec 14 00:43:17 2019 (r355742) +++ head/sbin/pfctl/pfctl_radix.c Sat Dec 14 02:03:47 2019 (r355743) @@ -58,7 +58,24 @@ extern int dev; static int pfr_next_token(char buf[], FILE *); +static void +pfr_report_error(struct pfr_table *tbl, struct pfioc_table *io, + const char *err) +{ + unsigned long maxcount; + size_t s; + s = sizeof(maxcount); + if (sysctlbyname("net.pf.request_maxcount", &maxcount, &s, NULL, + 0) == -1) + return; + + if (io->pfrio_size > maxcount || io->pfrio_size2 > maxcount) + fprintf(stderr, "cannot %s %s: too many elements.\n" + "Consider increasing net.pf.request_maxcount.", + err, tbl->pfrt_name); +} + int pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags) { @@ -89,8 +106,10 @@ pfr_add_tables(struct pfr_table *tbl, int size, int *n io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRADDTABLES, &io)) + if (ioctl(dev, DIOCRADDTABLES, &io)) { + pfr_report_error(tbl, &io, "add table"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; return (0); @@ -110,8 +129,10 @@ pfr_del_tables(struct pfr_table *tbl, int size, int *n io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRDELTABLES, &io)) + if (ioctl(dev, DIOCRDELTABLES, &io)) { + pfr_report_error(tbl, &io, "delete table"); return (-1); + } if (ndel != NULL) *ndel = io.pfrio_ndel; return (0); @@ -134,8 +155,10 @@ pfr_get_tables(struct pfr_table *filter, struct pfr_ta io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETTABLES, &io)) + if (ioctl(dev, DIOCRGETTABLES, &io)) { + pfr_report_error(tbl, &io, "get table"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -157,8 +180,10 @@ pfr_get_tstats(struct pfr_table *filter, struct pfr_ts io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETTSTATS, &io)) + if (ioctl(dev, DIOCRGETTSTATS, &io)) { + pfr_report_error(filter, &io, "get tstats for"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -198,8 +223,10 @@ pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRADDADDRS, &io)) + if (ioctl(dev, DIOCRADDADDRS, &io)) { + pfr_report_error(tbl, &io, "add addresses in"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; return (0); @@ -221,8 +248,10 @@ pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRDELADDRS, &io)) + if (ioctl(dev, DIOCRDELADDRS, &io)) { + pfr_report_error(tbl, &io, "delete addresses in"); return (-1); + } if (ndel != NULL) *ndel = io.pfrio_ndel; return (0); @@ -245,8 +274,10 @@ pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; io.pfrio_size2 = (size2 != NULL) ? *size2 : 0; - if (ioctl(dev, DIOCRSETADDRS, &io)) + if (ioctl(dev, DIOCRSETADDRS, &io)) { + pfr_report_error(tbl, &io, "set addresses in"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; if (ndel != NULL) @@ -275,8 +306,10 @@ pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETADDRS, &io)) + if (ioctl(dev, DIOCRGETADDRS, &io)) { + pfr_report_error(tbl, &io, "get addresses from"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -298,8 +331,10 @@ pfr_get_astats(struct pfr_table *tbl, struct pfr_astat io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETASTATS, &io)) + if (ioctl(dev, DIOCRGETASTATS, &io)) { + pfr_report_error(tbl, &io, "get astats from"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -318,8 +353,10 @@ pfr_clr_tstats(struct pfr_table *tbl, int size, int *n io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRCLRTSTATS, &io)) + if (ioctl(dev, DIOCRCLRTSTATS, &io)) { + pfr_report_error(tbl, &io, "clear tstats from"); return (-1); + } if (nzero) *nzero = io.pfrio_nzero; return (0); @@ -341,8 +378,10 @@ pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRTSTADDRS, &io)) + if (ioctl(dev, DIOCRTSTADDRS, &io)) { + pfr_report_error(tbl, &io, "test addresses in"); return (-1); + } if (nmatch) *nmatch = io.pfrio_nmatch; return (0); @@ -365,8 +404,10 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; io.pfrio_ticket = ticket; - if (ioctl(dev, DIOCRINADEFINE, &io)) + if (ioctl(dev, DIOCRINADEFINE, &io)) { + pfr_report_error(tbl, &io, "define inactive set table"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; if (naddr != NULL) _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
