Strange error: There were error(s) loading the rules: pfctl: pfctl_rules
-
@kprovost said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
feeling adventurous
Always.
@kprovost said in Strange error: There were error(s) loading the rules: pfctl: pfctl_rules:
http://pfsense-build-01.netgate.com/~kp/kernel.tar.bz2
http ? Thought that was ditched some time ago.
pfsense-build-01.netgate.com
is not accessible for the common morsels.
-
@gertjan Sorry, I thought that one was public.
Let's try https://people.freebsd.org/~kp/kernel.tar.bz2 then.
-
@kprovost I did get one today with
pfctl -x loudexecuted first. Attached here in case it's still helpful.I see the kernel you uploaded, I'll install it on the slave node in the HA cluster, it doesn't happen as often on the slave but at least it's not as risky to test it.
-
I believe the "real" errors can be seen in
dmesgnow, you should at least save the dmesg output somewhere in case it's needed. -
@flole in dmesg right now all I'm seeing is
pf: wire key attach failed on allmessages. Not sure whether it's related at all.
If it's still helpful I can write some more code to capture it at the time of incident. -
This is happening to me too on 22.05. Same "busy" message:
/root: pfctl -Fa
pfctl: pfctl_clear_eth_rules: Device busyMine popped up when trying to modify OpenPVN client settings.
Mine's as close to a virgin install as you can get on self-supplied hardware (2.6.0->22.01->22.05). It ran most of the day on 22.01 with no problem, then I upgraded to latest.
No custom packages, have not touched the file system other than to load one script back in.
-
@kprovost is it possible to get the kernel patch for armv7 (for the SG-3100) as most installs I have exhibiting the issue are using that platform.
-
@artooro Here's a kernel for the 3100. https://people.freebsd.org/~kp/kernel-3100.tar.bz2
I have NOT tested this kernel as I don't have a 3100. Be careful to ensure you don't break your device.
-
@kprovost after installing this kernel patch I was able to observe a collision of pf syscalls and it did not end up in a locked state like it did previously.
So far I'd say this patch is doing the job. -
@kprovost I have also been running with the kernel patch. It seems to have resolved the problem for me as well.
-
Is this intended as "proper" fix or just as a temporary workaround? Or asked differently: Will this be merged like this or will there be a different fix? Is there a diff available somewhere so I can see what was changed?
-
Right now these are test kernels just prove we have found the issue. Now that appears to be the case we will merge it and look at what we can do in existing 22.05 installs.
Steve
-
@flole It's a real fix, not a workaround. It's gone in upstream: https://cgit.freebsd.org/src/commit/?id=6ab80e7275091c900da8d2e84a7b0bb4c34a1e41
and I'll merge it to our local branch just as soon as this test-build finishes.
-
@kprovost would it be possible to also get the kernel patch for ARM64 as I have Netgate 2100s and a 1100 that also have this happening.
Thanks for all your help! -
@artooro We don't need any further testing on different platforms.
The fix has been merged in all relevant branches (and upstream FreeBSD) and will be present in upcoming snapshots, when they're published again. -
Apologies for bumping this relatively old thread but I'm seeing this on a new Netgate 6100 Max running pfSense+ 22.05-RELEASE. Is there a snapshot available that effectively has only this one merge included? This is a production machine so I want to keep the non-release deltas to a minimum.
-
@bblacey I don't believe so, no.
-
Any update or tutorial on this? Constantly happening on my SG-2440
-
It only affects the new layer2 rules in 22.05. The only real mitigation you can apply there is to avoid using them as far as possible. Otherwise you can upgrade to a 23.01snapshot where it's fixed. Those are not in beta yet though.
Steve
-
@stephenw What are these new layer2 rules that are causing this problem, and how do we avoid using them? I have a firewall in production that constantly has this error, causing all sorts of problems for the client.
