Bug #13366
open
Under or over size state tables cause pfctl error ``DIOCSETSYNCOOKIES``
0%
Description
On systems with excessively large RAM, where the default state table is huge the following error is seen and traffic is not filtered or logged.
There were error(s) loading the rules: pfctl: DIOCSETSYNCOOKIES - The line in question reads [0]: @ 2022-07-19 13:56:03
I've only seen 2 cases of this so far. The last customer mentioned it was working fine in 2.5.2 before the upgrade to 2.6. The other one was on 22.01.
The fix is to set the maximum states to a reasonable amount. 32600000 worked in this case.
Maybe this should be capped at a certain maximum default value regardless of RAM?
Updated by Jim Pingle almost 2 years ago
What was the limit before it was lowered?
How much RAM did they have?
It may be that we are calculating it based off system RAM when we should only be calculating it as a portion of kernel memory, but an upper bound may not be a bad idea.
Updated by Christopher Cope almost 2 years ago
Jim Pingle wrote in #note-1:
What was the limit before it was lowered?
How much RAM did they have?
It may be that we are calculating it based off system RAM when we should only be calculating it as a portion of kernel memory, but an upper bound may not be a bad idea.
One of the cases I mentioned seems like it may have been manually set too high.
32600 MiB of RAM
Default: 3259000
Value: 326000000
The other one was just on the default with an enormous amount of RAM.
2096699 MiB of RAM
Default: 209669000
A warning may need to be added as well, for users who may elect to manually increase it too high. Oddly, as mentioned before it doesn't seem to cause any issues on 2.5.2. I'll do more testing to reproduce it and try to get more information.
Updated by Jim Pingle over 1 year ago
- Subject changed from Large state tables cause pfctl to not function to Under or over size state tables cause pfctl error ``DIOCSETSYNCOOKIES``
Updating the subject, I also saw this error when the states limit is set far too low (e.g. 1), so it isn't only triggered if the value is too high.
Updated by Kristof Provost over 1 year ago
Syncookie limits are configured as a percentage of the maximum number of states, so the error in DIOCSETSYNCOOKIES is likely due to that calculation not handling very low or very large numbers well.
It might be useful to teach pfctl to complain about improbably state limits (say less than 10 or more than whatever causes the calculation to fail).
Updated by Kristof Provost over 1 year ago
I've proposed this fix upstream to cope with a state limit of 1: https://reviews.freebsd.org/D36497
It also deals with higher state limits, and now very high state limits break elsewhere (the numbers in this report work).
I'm not going to cherry pick this fix, because of the low severity and the fact that it's only visible under misconfiguration (a state limit of 1 is going to break a lot of things!). We'll pick the fix up as we merge in newer main versions.