Strange error: There were error(s) loading the rules: pfctl: pfctl_rules
-
@kprovost would it be possible to also get the kernel patch for ARM64 as I have Netgate 2100s and a 1100 that also have this happening.
Thanks for all your help! -
@artooro We don't need any further testing on different platforms.
The fix has been merged in all relevant branches (and upstream FreeBSD) and will be present in upcoming snapshots, when they're published again. -
Apologies for bumping this relatively old thread but I'm seeing this on a new Netgate 6100 Max running pfSense+ 22.05-RELEASE. Is there a snapshot available that effectively has only this one merge included? This is a production machine so I want to keep the non-release deltas to a minimum.
-
@bblacey I don't believe so, no.
-
Any update or tutorial on this? Constantly happening on my SG-2440
-
It only affects the new layer2 rules in 22.05. The only real mitigation you can apply there is to avoid using them as far as possible. Otherwise you can upgrade to a 23.01snapshot where it's fixed. Those are not in beta yet though.
Steve
-
@stephenw What are these new layer2 rules that are causing this problem, and how do we avoid using them? I have a firewall in production that constantly has this error, causing all sorts of problems for the client.
-
@lukeskyscraper Only the captive portal feature uses layer 2 rules. Disabling captive portal should mean you won't run into the issue again.
-
@kprovost I encountered the issue several times and I do not use captive portal at all (not even configured).
-
@chrisjenk That's somewhat unexpected. It may be worth testing a 23.01 snapshot to confirm it fixes the issue for you as well, but there's no other workaround.
-
@kprovost I don't use any captive portal features either. I do use Adam:ONE though, as well as pfBlocker for geo IP lists. Yesterday I got this firewall to reload its filter by disabling pfBlocker, reloading, then re-enabling it afterwards. But... it seems to be a different fix, every time this problem happens. Sometimes a reboot works, sometimes it works to backup and restore the full configuration, and this time it was pfblocker.
I hope 23.01 becomes available soon. It would be nice if they Netgate would put this fix out as a patch in the meantime...
-
@kprovost I ran into this and don't have a captive portal either. My configuration is pretty much the same that I have been using since 2.4.5, so not using any "new" features. I have not seen the issue recur since applying the kernel patch though.
-
@lukeskyscraper what kind of hardware are you using? There is a patch for Intel and some ARM devices, which has been working for us.
-
Yeah, there is a test kernel for 2205 still available earlier in this thread. It was very much for testing only but it might be a good test if you're hitting it without any layer2 rules.
Because this is a compiled in-kernel change it's not something we can release as a run-time patch. It would require a complete point release.
23.01 snapshots are currently available. Although right now there is some back end work happening which might mean they are not for while today.
Steve
-
@artooro This particular box is a Netgate 7100, so if there's an intel patch available, I'd be happy to try it.
-
@lukeskyscraper ok try these commands in an SSH prompt
rm -r /boot/kernel.old mv /boot/kernel /boot/kernel.old curl -o /tmp/kernel.tar.bz2 https://people.freebsd.org/~kp/kernel.tar.bz2 tar -xjf /tmp/kernel.tar.bz2 -C /bootAnd then reboot
Make sure you have a config backup in case it goes wrong.
-
And an install image. Preferably on a USB drive ready to go.
-
@artooro Awesome thanks. The firewall is remote, at a site we visit weekly. If this issue crops up again by next week, then I'll try this kernel while someone is on site.
-
@artooro can this also be tested on SG-2440 (Intel)?
-
G Gertjan referenced this topic on
-
Yes, it will work on any amd64 device, they all share the same 22.05 kernel.
-
S stephenw10 referenced this topic on
