# pfctl: DIOCSETLIMIT



## nick (Mar 7, 2014)

I have a vanilla freebsd FreeBSD 10.0-RELEASE system running PF with a trivial configuration (see below). If I attempt to load the configuration, I get:

```
# /sbin/pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT
#
```
As a result, no rules are loaded.

I patched pfctl to show which index/limit it was failing on:

```
# ./pfctl-custom -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT: index 4, limit 200000
```
index 4 refers to PF_LIMIT_TABLE_ENTRIES.  I tested this out with a lower limit: 
	
	



```
set limit table-entries 50
```
but it failed with the same error:

```
# ./pfctl-custom -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCSETLIMIT: index 4, limit 50
```
The UMA zone limits look like this:

```
# vmstat -z | egrep -i '(entries|limit)'
ITEM                   SIZE  LIMIT     USED     FREE      REQ FAIL SLEEP
pf table entries:       160,      0,       2,     123,       2,   0,   0
pf frag entries:         32,   5000,       0,       0,       0,   0,   0
#
```
I can't figure out why this is failing.  Does anyone have any ideas?

Nick

Configuration:

```
# grep "real memory" /var/run/dmesg.boot
real memory  = 8589934592 (8192 MB)
# uname -a
FreeBSD pancake.netability.ie 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
#
```


```
ext_if="vlan112"
icmp_types_ipv4 = "echoreq"
set block-policy drop
set skip on lo0
set skip on vlan200
set skip on vlan250
table <fail2ban> persist
scrub in inet all
block in quick on $ext_if from <fail2ban> to any
block in log on $ext_if inet  all
pass out on $ext_if inet  all keep state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types_ipv4 keep state
pass in on $ext_if inet proto udp from any to any port { 33433 >< 33626 } 
pass in on $ext_if proto tcp from any to { $ext_if } port ssh flags S/SA keep state
pass in on $ext_if proto tcp from any to any port domain flags S/SA keep state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto udp from any to any port ntp
```


----------



## cbrace (Mar 16, 2014)

I'm encountering this as well since I upgraded to 10.0-RELEASE. Did you find out what is going on?


----------



## nick (Jan 12, 2015)

cbrace said:


> I'm encountering this as well since I upgraded to 10.0-RELEASE. Did you find out what is going on?


Yep, mismatched userland and kernel.  freebsd-update(8) screwed up and only upgraded the kernel.  The userland stayed at 9.x.  Doing a forced upgrade of the FreeBSD userland fixed the problem.


----------



## bthomson (Feb 5, 2015)

Bug is filed here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195568

But this worries me. What if this was a security update that didn't get applied? Shouldn't `freebsd-update` at least notice that the checksum is wrong on /sbin/pfctl and report that?

EDIT: After reading a little more about how it works, I suppose it is best practice to run `freebsd-update IDS` after every update and make sure nothing suspicious appears. In this case everything is terribly out of date even though the updates seemed to apply successfully.


----------



## junovitch@ (Feb 5, 2015)

There is an improvement on Phabricator for freebsd-update(8) to help in the situation.  It wouldn't prevent someone from only updating a kernel and calling it a day but it would at least prevent installing any other updates until the full upgrade with userland and everything was finished.
https://reviews.freebsd.org/D1550


----------

