Re: NPF ruleset limit in -7?

[Stephen Borrill <netbsd%precedence.co.uk@localhost>]

On Tue, 16 Oct 2018, Hauke Fath wrote:
> On 10/15/18 17:55, Stephen Borrill wrote:
> > I seem to recall a limit on loading rulesets with NPF at some time in the 
> > past. [...]
>
> In all releases, that is; -the underlying library with its limitations in 
> dictionary size has apparently been replaced for npf in -current.
>
> I applied the following patch
>
> /<2>netbsd-8/src > cvs diff sys/net/npf/npf_ctl.c
> Index: sys/net/npf/npf_ctl.c
> ===================================================================
> RCS file: /cvsroot/src/sys/net/npf/npf_ctl.c,v
> retrieving revision 1.48.2.1
> diff -u -r1.48.2.1 npf_ctl.c
> --- sys/net/npf/npf_ctl.c       17 Nov 2017 20:43:11 -0000      1.48.2.1
> +++ sys/net/npf/npf_ctl.c       16 Oct 2018 10:37:08 -0000
> @@ -522,8 +522,9 @@
>        else
> #endif
>        {
> +               /* XXX This size limit should really be a constant */
>                error = prop_dictionary_copyin_ioctl_size(pref, cmd, 
> &npf_dict,
> -                   4 * 1024 * 1024);
> +                   16 * 1024 * 1024);
>                if (error)
>                    return error;
>        }


The whole sized ioctls shebang is missing in -7, so the limit is something 
tiny like 64kB as opposed to 4MB. Hence npf is unusable except for the 
most trivial ruleset on -7 and earlier.

Pullups have been submitted (and tested) and so the 4MB limit should make 
its way to -7 very soon.

> when I still had hopes in npf...

Well, yeah, the ruleset limit makes you wonder how much real-world testing 
it's had.

--
Stephen