2.2.2 LIMITATION TO 64 POINTS FOR INTERFACES, VIPs, IPs - Serious Analysis



  • Hello everybody

    This is the first time i post here, and i'm going to do this because i found a really effective limitation that i hope will be patched next release:

    I found that you can't have (or) :

    1) more then 30 Interfaces Assigned (with IPV4 <> none)
    2) more than 61 Interfaces Assigned (with IPV4 and IPV6 == none)
    3) more than 57 Virtual IPs and 2 Interfaces Assigned with IPv4 <> none

    I made a lot of tests to analyze this limitation to help developers and i got the Formula and i can send FULL BACKUPS to help developers (it's not fine to add 1 per 1 X Virtual IPs or Interfaces to see that) !

    The limit is 64 . (Don't know where, or why, and it has been reached either in 32 and 64 bit pfsense 2.2.2)

    This 64 is calculated in this manner:

    +1 for each interface you ASSIGN
    +1 for each interface you SET IPV4 (maybe another +1 for IPv6) <> none
    +1 for each Virtual IP you set (no matter if CARP, Alias or Other)
    +3 Constant points that may be related with: lo0 IF (+1) lo0 IPv4 default assigned (+1) lo0 IPv6 default assigned (+1)

    According with the analysis done for 10+ new installations (physical and virtual)I think the problem is related with the MACRO "This Firewall ()" but I can't say exactly

    Is there someone that can enlighten me about this?

    The exact error you get when you hit the 65th point:

    pfi_table_update: cannot set 65 new addresses into table self: 22

    that 65 can be increased (and you will show the error again while reboot according to the formula i show up! You get 65 when you reach exactly 65 points, but if you continue and you add more that number increase!

    Effects: if you reach this limit, some IPs (random) STOP responding, I hope you will never see the management IP stop responding, but i did and i could com to firewall just after rebooting so i TIP to don't exceed this 64 Value.

    Please let me know if can i contrib to the solving of this problem, right to test it i've made a script that automatically add how many consecutive VIP you want, so thumb up for this Analysis.



  • this is the code that give the error:

    void
    pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int flags)
    {
    int e, size2 = 0;
    struct ifg_member *ifgm;

    pfi_buffer_cnt = 0;

    if (kif->pfik_ifp != NULL)
    pfi_instance_add(kif->pfik_ifp, net, flags);
    else if (kif->pfik_group != NULL)
    TAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, ifgm_next)
    pfi_instance_add(ifgm->ifgm_ifp, net, flags);

    if ((e = pfr_set_addrs(&kt->pfrkt_t, pfi_buffer, pfi_buffer_cnt, &size2,
        NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK)))
    printf("pfi_table_update: cannot set %d new addresses "
        "into table %s: %d\n", pfi_buffer_cnt, kt->pfrkt_name, e);
    }


  • Rebel Alliance Developer Netgate

    There's already a patch for this in 2.2.3.


Log in to reply