core: Error when trying to load into Firewall Alias IP Table with a large number of IPs
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- I have searched the existing issues and I am convinced that mine is new.
Describe the bug
OPNsense 21.1-amd64 FreeBSD 12.1-RELEASE-p12-HBSD OpenSSL 1.1.1i 8 Dec 2020
I am trying to load an alias IP table with a large number of addresses from a remote server.
When I click Apply, the interface first thinks for a long time, after which it displays a window with the text Invalid argument. [A_test]. Through Firewall> Diagnostics> pfTables, I see that the table is empty.
I decided to find out the reason through direct control with pfctl. Here’s what happened in the end:
#
[... Many attempts at sizing the list...]
# tail -n 32768 ~/iptable >/tmp/iptable
# pfctl -t "A_test" -T replace -f /tmp/iptable && pfctl -t "A_test" -T show | wc -l
1 addresses added.
32768
# tail -n 32769 ~/iptable >/tmp/iptable
# pfctl -t "A_test" -T replace -f /tmp/iptable && pfctl -t "A_test" -T show | wc -l
pfctl: Invalid argument.
#
At the same time, the Firewall> Settings> Advanced> Firewall Maximum Table Entries field is empty, i.e.“On your system the default size is: 200000”
To Reproduce
Steps to reproduce the behavior:
- Go to ‘…’
- Click on ‘…’
- Scroll down to ‘…’
- See error
Expected behavior
A clear and concise description of what you expected to happen.
Describe alternatives you considered
A clear and concise description of any alternative solutions or workaround you considered.
Screenshots
If applicable, add screenshots to help explain your problem.
Relevant log files
If applicable, information from log files supporting your claim.
Additional context
Add any other context about the problem here.
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 21.1-amd64 FreeBSD 12.1-RELEASE-p12-HBSD OpenSSL 1.1.1i 8 Dec 2020
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (9 by maintainers)
@Limych ничего себе табличка ) tested. for this specific table (147259 records), a minimum value of 147259 is required for net.pf.request_maxcount in order to successfully execute the -Tadd command. to execute the -Treplace command (regardless of whether the table was flushed before that) it was necessary to set the minimum value to 262144. imho this is due to some buffering when processing the -Treplace command (checking if the limit is exceeded occurs only after reading the next block?). and although the minimum value of request_maxcount can be set slightly lower than two list lengths, so that the -Treplace is guaranteed to work easier to set it to twice the expected length of the largest table (by the way, on my test VM the default value is set to 1M)