Strange error: There were error(s) loading the rules: pfctl: pfctl_rules
-
@chrisjenk said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
The /tmp/rules.debug file contains lots of rules (417 lines worth in fact).
That's after rebooting though? I was just wondering if you had checked it at the time when it was throwing the error.
-
@stephenw10 said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
@chrisjenk said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
The /tmp/rules.debug file contains lots of rules (417 lines worth in fact).
That's after rebooting though? I was just wondering if you had checked it at the time when it was throwing the error.
I checked it, and ran the command, before rebooting and after rebooting. Before the reboot, the file, which contained a lot of rules, gave the exit code of 1 and the one after the reboot, which also contained a lot of rules, did not. Of course, I stupidly forgot to preserve the before reboot version of the file so I am not able to compare them :-(
-
Hmm, well if you see it again backup the file to check.
I've been unable to replicate that error here so far.Steve
-
@stephenw10 said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
Hmm, well if you see it again backup the file to check.
I've been unable to replicate that error here so far.Steve
Will do!
-
I got called to a customer this morning cause "nothing was working" and I'm greeted with the same error here. Even when I create an empty file and try to load it using
pfctl -v -f /tmp/nothingI see that output with an exit code of 1. Rebooting does not help here, same thing afterwards. Trying to use the x-parameter to set the verbosity to "info" or "verbose" as described in the man page does not work either, the log level is simply not recognized and it fails. EDIT: pfsense still uses the old "loud" name for the debug level. Doesn't shed any light on what's going on though as dmesg doesn't produce any additional output except for pf_map_addr: selected address 192.168.x.y.
So either an empty file is expected to cause this (I don't think so though) or it's not about the rule files content but about something else.
-
You can make it more verbose with extra
vflags. But I expect it to at least return something:[22.05-RELEASE][admin@4100-2.stevew.lan]/root: pfctl -vvf /tmp/rules.bad Loaded 762 passive OS fingerprintsReturning only an error like that can be a kernel/world mismatch. Has it just been updated?
Steve
-
@stephenw10 I've ruled out a mismatch (and it worked after the update, so this is most likely not related to the update). The system was rebooted and then this apparently appeared.
The extra -v flags do cause that os fingerprint message to appear, but then only the pfctl_rules thing again with an exit code of 1.
-
Can you run any pfctl command? Like:
pfctl -sr -
@stephenw10 -sr is quiet but exit code is 0. When I do -sa I even get my configured aliases as a table, so apparently it all worked for a short time after rebooting so the rules and aliases were loaded properly.
-
This is in 2.6 on custom hardware?
-
@stephenw10 No, it's on 22.05. I'm sure a downgrade would fix it and I have the recovery image here already, but it would probably be better to do further debugging to see what causes pfctl to get in a state where it not longer wants to accept rules.
-
The only time I've been able to explain that is when there was a kernell mismatch causing pfctl not to function as expected with pf in the kernel.
Try:
[22.05-RELEASE][admin@4100-2.stevew.lan]/root: sha256 /sbin/pfctl SHA256 (/sbin/pfctl) = 4f9310145dfe739126392d77e7cb37d8cf845317f10624fb8b2fd1e408323761 [22.05-RELEASE][admin@4100-2.stevew.lan]/root: uname -a FreeBSD 4100-2.stevew.lan 12.3-STABLE FreeBSD 12.3-STABLE plus-RELENG_22_05-n202700-3ddaea61055 pfSense amd64 [22.05-RELEASE][admin@4100-2.stevew.lan]/root: freebsd-version -kur 12.3-STABLE 12.3-STABLE 12.3-STABLE -
That matches:
[22.05-RELEASE][root@XXXXXXX]/root: sha256 /sbin/pfctl SHA256 (/sbin/pfctl) = 4f9310145dfe739126392d77e7cb37d8cf845317f10624fb8b2fd1e408323761 [22.05-RELEASE][root@XXXXXXX]/root: uname -a FreeBSD XXXXXXXXXXXX 12.3-STABLE FreeBSD 12.3-STABLE plus-RELENG_22_05-n202700-3ddaea61055 pfSense amd64 [22.05-RELEASE][root@XXXXXXX]/root: freebsd-version -kur 12.3-STABLE 12.3-STABLE 12.3-STABLE -
Hmm, that's on custom hardware? Updated from CE to Plus?
-
It was on Plus 22.01, then it got upgraded to 22.05 and it worked perfectly fine. Then there was a power outage so the firewall got shutdown (graceful shutdown when the UPS ran out of battery) and after it booted again this issue started to appear. As there are multiple users affected by this apparently and rebooting sometimes seems to solve it (at least for others, for me it doesn't for some reason) there is probably some nasty bug somewhere. Shouldn't pfctl normally return an error message if something is not right?
-
It does if there's an error in the ruleset, yes. It doesn't if the rules file is empty though:
[22.05-RELEASE][admin@4100-2.stevew.lan]/root: pfctl -vvvf /tmp/rules.bad Loaded 762 passive OS fingerprints [22.05-RELEASE][admin@4100-2.stevew.lan]/root: echo $? 0We have seen devices load a kernel from another storage device but I've never been able to replicate that here. Obviously that only applies if you have more than one drive in the system.
And it doesn't appear to have happened here since the ported kernel is correct.However the other symptoms point to that.
Are there any errors in the boot log?
-
@stephenw10 said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
It does if there's an error in the ruleset, yes. It doesn't if the rules file is empty though:
You are getting exit code 0 there though, I am getting exit code 1 there.
@stephenw10 said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
We have seen devices load a kernel from another storage device but I've never been able to replicate that here. Obviously that only applies if you have more than one drive in the system.
It's a single drive only. I always wanted to migrate to ZFS though and use mirroring on this system, so maybe it's a good time now to backup the config and reinstall using ZFS on 2 drives.
I just saw in the system log this message from snort being logged:
s2c_pf_block() => ioctl() DIOCRADDADDRS: No such processSo maybe this gives more information on what's going on? I assume the same ioctl call is being made by pfctl aswell and most likely the same error is returned there? Just that pfctl isn't displaying that error.
In the boot log I am only seeing this error, but it seems unrelated:
dummynet: bad switch 21! -
Yeah those errors all point to a mismatch in something but I'm unsure what if the kernel and pfctl are correct.
The quickest way back up is going to be a re-install though.
Steve
-
Maybe it's the library thats not matching? Snort doesn't call pfctl I think, if it uses the library which pfctl also uses and that one is corrupted/wrong that could explain it.
sha256sum ./usr/lib/libpfctl* bd164a6f18720e395fae0b30ae552afb04b5a86919e9ab8e0ba433678ef5b75b ./usr/lib/libpfctl.a aa7aa511a5d26c453dbbae04568ae5cecd39407d2b53be1fc66d51669af796c4 ./usr/lib/libpfctl.so aa7aa511a5d26c453dbbae04568ae5cecd39407d2b53be1fc66d51669af796c4 ./usr/lib/libpfctl.so.5 -
@flole said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
Maybe it's the library thats not matching? Snort doesn't call pfctl I think, if it uses the library which pfctl also uses and that one is corrupted/wrong that could explain it.
sha256sum ./usr/lib/libpfctl* bd164a6f18720e395fae0b30ae552afb04b5a86919e9ab8e0ba433678ef5b75b ./usr/lib/libpfctl.a aa7aa511a5d26c453dbbae04568ae5cecd39407d2b53be1fc66d51669af796c4 ./usr/lib/libpfctl.so aa7aa511a5d26c453dbbae04568ae5cecd39407d2b53be1fc66d51669af796c4 ./usr/lib/libpfctl.so.5As the author of the custom Snort plugin I can tell you how it works. It is making direct
ioctl()system calls for all of its operations with the packet filter firewall. Those system calls will wind up using the library. You have a corrupted installation with mismatching versions of core system libraries.
