pfctl: Warn users when they run into kernel limits

Warn users when they try to add/delete/modify more items than the kernel will allow. Reviewed by: allanjude (previous version), Lutz Donnerhacke Differential Revision: https://reviews.freebsd.org/D22733
2019-12-14 02:03:47 +00:00 · 2019-12-14 02:03:47 +00:00 · 3c7fbb06a0
commit 3c7fbb06a0
parent 6f836483ec
1 changed files with 53 additions and 12 deletions
--- a/sbin/pfctl/pfctl_radix.c
+++ b/sbin/pfctl/pfctl_radix.c
@ -58,6 +58,23 @@ extern int dev;

 static int	 pfr_next_token(char buf[], FILE *);

+static void
+pfr_report_error(struct pfr_table *tbl, struct pfioc_table *io,
+    const char *err)
+{
+	unsigned long maxcount;
+	size_t s;
+
+	s = sizeof(maxcount);
+	if (sysctlbyname("net.pf.request_maxcount", &maxcount, &s, NULL,
+	    0) == -1)
+		return;
+
+	if (io->pfrio_size > maxcount || io->pfrio_size2 > maxcount)
+		fprintf(stderr, "cannot %s %s: too many elements.\n"
+		    "Consider increasing net.pf.request_maxcount.",
+		    err, tbl->pfrt_name);
+}

 int
 pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags)
@ -89,8 +106,10 @@ pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
 	io.pfrio_buffer = tbl;
 	io.pfrio_esize = sizeof(*tbl);
 	io.pfrio_size = size;
-	if (ioctl(dev, DIOCRADDTABLES, &io))
+	if (ioctl(dev, DIOCRADDTABLES, &io)) {
+		pfr_report_error(tbl, &io, "add table");
 		return (-1);
+	}
 	if (nadd != NULL)
 		*nadd = io.pfrio_nadd;
 	return (0);
@ -110,8 +129,10 @@ pfr_del_tables(struct pfr_table *tbl, int size, int *ndel, int flags)
 	io.pfrio_buffer = tbl;
 	io.pfrio_esize = sizeof(*tbl);
 	io.pfrio_size = size;
-	if (ioctl(dev, DIOCRDELTABLES, &io))
+	if (ioctl(dev, DIOCRDELTABLES, &io)) {
+		pfr_report_error(tbl, &io, "delete table");
 		return (-1);
+	}
 	if (ndel != NULL)
 		*ndel = io.pfrio_ndel;
 	return (0);
@ -134,8 +155,10 @@ pfr_get_tables(struct pfr_table *filter, struct pfr_table *tbl, int *size,
 	io.pfrio_buffer = tbl;
 	io.pfrio_esize = sizeof(*tbl);
 	io.pfrio_size = *size;
-	if (ioctl(dev, DIOCRGETTABLES, &io))
+	if (ioctl(dev, DIOCRGETTABLES, &io)) {
+		pfr_report_error(tbl, &io, "get table");
 		return (-1);
+	}
 	*size = io.pfrio_size;
 	return (0);
 }
@ -157,8 +180,10 @@ pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,
 	io.pfrio_buffer = tbl;
 	io.pfrio_esize = sizeof(*tbl);
 	io.pfrio_size = *size;
-	if (ioctl(dev, DIOCRGETTSTATS, &io))
+	if (ioctl(dev, DIOCRGETTSTATS, &io)) {
+		pfr_report_error(filter, &io, "get tstats for");
 		return (-1);
+	}
 	*size = io.pfrio_size;
 	return (0);
 }
@ -198,8 +223,10 @@ pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
 	io.pfrio_buffer = addr;
 	io.pfrio_esize = sizeof(*addr);
 	io.pfrio_size = size;
-	if (ioctl(dev, DIOCRADDADDRS, &io))
+	if (ioctl(dev, DIOCRADDADDRS, &io)) {
+		pfr_report_error(tbl, &io, "add addresses in");
 		return (-1);
+	}
 	if (nadd != NULL)
 		*nadd = io.pfrio_nadd;
 	return (0);
@ -221,8 +248,10 @@ pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
 	io.pfrio_buffer = addr;
 	io.pfrio_esize = sizeof(*addr);
 	io.pfrio_size = size;
-	if (ioctl(dev, DIOCRDELADDRS, &io))
+	if (ioctl(dev, DIOCRDELADDRS, &io)) {
+		pfr_report_error(tbl, &io, "delete addresses in");
 		return (-1);
+	}
 	if (ndel != NULL)
 		*ndel = io.pfrio_ndel;
 	return (0);
@ -245,8 +274,10 @@ pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
 	io.pfrio_esize = sizeof(*addr);
 	io.pfrio_size = size;
 	io.pfrio_size2 = (size2 != NULL) ? *size2 : 0;
-	if (ioctl(dev, DIOCRSETADDRS, &io))
+	if (ioctl(dev, DIOCRSETADDRS, &io)) {
+		pfr_report_error(tbl, &io, "set addresses in");
 		return (-1);
+	}
 	if (nadd != NULL)
 		*nadd = io.pfrio_nadd;
 	if (ndel != NULL)
@ -275,8 +306,10 @@ pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size,
 	io.pfrio_buffer = addr;
 	io.pfrio_esize = sizeof(*addr);
 	io.pfrio_size = *size;
-	if (ioctl(dev, DIOCRGETADDRS, &io))
+	if (ioctl(dev, DIOCRGETADDRS, &io)) {
+		pfr_report_error(tbl, &io, "get addresses from");
 		return (-1);
+	}
 	*size = io.pfrio_size;
 	return (0);
 }
@ -298,8 +331,10 @@ pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size,
 	io.pfrio_buffer = addr;
 	io.pfrio_esize = sizeof(*addr);
 	io.pfrio_size = *size;
-	if (ioctl(dev, DIOCRGETASTATS, &io))
+	if (ioctl(dev, DIOCRGETASTATS, &io)) {
+		pfr_report_error(tbl, &io, "get astats from");
 		return (-1);
+	}
 	*size = io.pfrio_size;
 	return (0);
 }
@ -318,8 +353,10 @@ pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags)
 	io.pfrio_buffer = tbl;
 	io.pfrio_esize = sizeof(*tbl);
 	io.pfrio_size = size;
-	if (ioctl(dev, DIOCRCLRTSTATS, &io))
+	if (ioctl(dev, DIOCRCLRTSTATS, &io)) {
+		pfr_report_error(tbl, &io, "clear tstats from");
 		return (-1);
+	}
 	if (nzero)
 		*nzero = io.pfrio_nzero;
 	return (0);
@ -341,8 +378,10 @@ pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
 	io.pfrio_buffer = addr;
 	io.pfrio_esize = sizeof(*addr);
 	io.pfrio_size = size;
-	if (ioctl(dev, DIOCRTSTADDRS, &io))
+	if (ioctl(dev, DIOCRTSTADDRS, &io)) {
+		pfr_report_error(tbl, &io, "test addresses in");
 		return (-1);
+	}
 	if (nmatch)
 		*nmatch = io.pfrio_nmatch;
 	return (0);
@ -365,8 +404,10 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
 	io.pfrio_esize = sizeof(*addr);
 	io.pfrio_size = size;
 	io.pfrio_ticket = ticket;
-	if (ioctl(dev, DIOCRINADEFINE, &io))
+	if (ioctl(dev, DIOCRINADEFINE, &io)) {
+		pfr_report_error(tbl, &io, "define inactive set table");
 		return (-1);
+	}
 	if (nadd != NULL)
 		*nadd = io.pfrio_nadd;
 	if (naddr != NULL)