2.2.2 LIMITATION TO 64 POINTS FOR INTERFACES, VIPs, IPs - Serious Analysis

netr0ck

Hello everybody

This is the first time i post here, and i'm going to do this because i found a really effective limitation that i hope will be patched next release:

I found that you can't have (or) :

1) more then 30 Interfaces Assigned (with IPV4 <> none)
2) more than 61 Interfaces Assigned (with IPV4 and IPV6 == none)
3) more than 57 Virtual IPs and 2 Interfaces Assigned with IPv4 <> none

I made a lot of tests to analyze this limitation to help developers and i got the Formula and i can send FULL BACKUPS to help developers (it's not fine to add 1 per 1 X Virtual IPs or Interfaces to see that) !

The limit is 64 . (Don't know where, or why, and it has been reached either in 32 and 64 bit pfsense 2.2.2)

This 64 is calculated in this manner:

+1 for each interface you ASSIGN
+1 for each interface you SET IPV4 (maybe another +1 for IPv6) <> none
+1 for each Virtual IP you set (no matter if CARP, Alias or Other)
+3 Constant points that may be related with: lo0 IF (+1) lo0 IPv4 default assigned (+1) lo0 IPv6 default assigned (+1)

According with the analysis done for 10+ new installations (physical and virtual)I think the problem is related with the MACRO "This Firewall ()" but I can't say exactly

Is there someone that can enlighten me about this?

The exact error you get when you hit the 65th point:

pfi_table_update: cannot set 65 new addresses into table self: 22

that 65 can be increased (and you will show the error again while reboot according to the formula i show up! You get 65 when you reach exactly 65 points, but if you continue and you add more that number increase!

Effects: if you reach this limit, some IPs (random) STOP responding, I hope you will never see the management IP stop responding, but i did and i could com to firewall just after rebooting so i TIP to don't exceed this 64 Value.

Please let me know if can i contrib to the solving of this problem, right to test it i've made a script that automatically add how many consecutive VIP you want, so thumb up for this Analysis.

netr0ck

this is the code that give the error:

void
pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int flags)
{
int e, size2 = 0;
struct ifg_member *ifgm;

pfi_buffer_cnt = 0;

if (kif->pfik_ifp != NULL)
pfi_instance_add(kif->pfik_ifp, net, flags);
else if (kif->pfik_group != NULL)
TAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, ifgm_next)
pfi_instance_add(ifgm->ifgm_ifp, net, flags);

if ((e = pfr_set_addrs(&kt->pfrkt_t, pfi_buffer, pfi_buffer_cnt, &size2,
    NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK)))
printf("pfi_table_update: cannot set %d new addresses "
    "into table %s: %d\n", pfi_buffer_cnt, kt->pfrkt_name, e);
}

jimp

There's already a patch for this in 2.2.3.