Anyone know what this error could mean.

stephenw10

Hmm, in that case it's unclear what might have caused that....unless you might have had ether rules at some point?

turrican64

There were no ether rules configured in the past.

This is a very simple firewall, only 3 packages installed (aws-wizard, ipsec-profile-wizard, openvpn-client-export), HFSC scheduler with floating match rules and tagging for Internet upstream, some vlan interfaces with inbound rules. I think I had one static route previsouly but it has been deleted long time ago. Nothing else.

stephenw10

Well as far as I know there is no way to clear that error once it has been hit other than rebooting so I'm not sure you have any other choice. Beyond just allowing it to run as it is with the current ruleset.
Without any ether rules there I would expect it to boot back OK.

stephenw10

Try running pfSsh.php playback pfanchordrillat the command line. Make sure there are no ether rules that have been added dynamically.

turrican64

Thank you for the command, I was just able to run it. No ether rules have been added dynamically.

[22.05-RELEASE][root@g.localdomain]/root: pfSsh.php playback pfanchordrill

ipsec rules/nat contents:

miniupnpd rules/nat contents:

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

tftp-proxy rules/nat contents:

userrules rules/nat contents:

stephenw10

Was that after rebooting?

We discovered a bug that means dynamic ether rules were not being removed when you disable or remove a captive portal instance. So if you had a captive portal instance defined since you last rebooted the rules could have remained and might trigger this issue. Since they would not be created a boot again rebooting resolves it. That probably explains the behaviour many people have seen.

Steve

turrican64

I haven't rebooted the device since the upgrade to 22.05 version which was months ago.

[22.05-RELEASE][root@g.localdomain]/root: uptime
 4:02PM  up 163 days,  4:11, 1 user, load averages: 0.08, 0.04, 0.01

But more importantly I havn't enabled captive portal or dynamic ether rules. There were no features ever configured other than I described earlier.

@turrican64 said in Anyone know what this error could mean.:

This is a very simple firewall, only 3 packages installed (aws-wizard, ipsec-profile-wizard, openvpn-client-export), HFSC scheduler with floating match rules and tagging for Internet upstream, some vlan interfaces with inbound rules. I think I had one static route previsouly but it has been deleted long time ago. Nothing else.

stephenw10

Hmm, well if it's getting stuck in a similar way that's likely some new bug then or at least a variant of the known one with Ether rules.
If it is that it will likely be resolved by rebooting and that's the only way I'm aware of to clear the stuck loader process.

Steve

turrican64

I've read that developers done enough testing, no more tests required and the fix is already in the new kernel. However since you mentioned this might be a new bug and since the box seems working ok in this state, therefore I will not reboot it for now, maybe developers would like to do some further checks later.

stephenw10

You can read through the thread where this was initially diagnosed here:
https://forum.netgate.com/topic/173923/strange-error-there-were-error-s-loading-the-rules-pfctl-pfctl_rules

I doubt anything can be learned at this point since the reported errors from there will always be 'device busy'. As shown there we need to see the truss output leading up to the point where is gets stuck which is the first time pfctl is run for this that were hitting it consistently.

Steve