DIOCADDRULENV Error

hypnosis4u2nv

@stephenw10 Unfortunately timestamps dont go back that far to see. I do have this recurring error in the routing log:

May 29 10:35:43	miniupnpd	94484	ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
May 29 10:35:43	miniupnpd	94484	ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
May 29 10:35:43	miniupnpd	94484	ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
May 29 10:35:43	miniupnpd	94484	ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
May 29 10:35:43	miniupnpd	94484	ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
May 29 10:35:43	miniupnpd	94484	ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
May 29 10:35:44	miniupnpd	94484	ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists

Also notice that snort is turning on by itself (I use suricata) even when the service is stopped. Wondering if that is contributing to this error.

stephenw10

@hypnosis4u2nv said in DIOCADDRULENV Error:

May 29 10:35:43 miniupnpd 94484 ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists

Are you running the update miniupnpd pkg?

How are you disabling Snort?
Yes, running both Snort and Suricata is not supported.

hypnosis4u2nv

@stephenw10 Not sure what miniupnpd pkg I'm running, For now I uninstalled the Snort package.

stephenw10

There is an updated miniupnpd pkg available in 24.03. If you run pkg upgrade you will see it offered. It addresses this: https://redmine.pfsense.org/issues/15470

hypnosis4u2nv

@hypnosis4u2nv updated. Will follow up to see if this error reappears. Thanks!

hypnosis4u2nv

@stephenw10 Update didnt work.

There were error(s) loading the rules: pfctl: DIOCADDRULENV: No such file or directory - The line in question reads [0]: @ 2024-05-30 12:21:03
There were error(s) loading the rules: pfctl: DIOCADDRULENV: No such file or directory - The line in question reads [0]: @ 2024-05-30 12:21:05
There were error(s) loading the rules: pfctl: DIOCADDRULENV: No such file or directory - The line in question reads [0]: @ 2024-05-30 12:40:07

stephenw10

@hypnosis4u2nv said in DIOCADDRULENV Error:

May 29 10:35:44 miniupnpd 94484 ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists

But you're not seeing the errors from miniupnpd?:
May 29 10:35:44 miniupnpd 94484 ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists

hypnosis4u2nv

@stephenw10 Errors still exist in the miniupnpd

stephenw10

Hmm, and those errors occur at the same time I assume?

And still nothing else logged at that time? No even triggering this?

hypnosis4u2nv

@stephenw10 The miniupnpd errors are running constantly although they don't trip error logs, just in the routing logs.

The other DIOCADDRULENV error triggers an error and it seems to fluctuate when it does.

stephenw10

@hypnosis4u2nv said in DIOCADDRULENV Error:

The miniupnpd errors are running constantly

Ah, well that's an issue!

Hmm, what does uname -a show? I wonder if it's somehow still running an old kernel.

hypnosis4u2nv

@stephenw10 FreeBSD pfSense.localdomain 15.0-CURRENT FreeBSD 15.0-CURRENT #0 plus-RELENG_24_03-n256311-e71f834dd81: Fri Apr 19 00:28:14 UTC 2024 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-24_03-main/obj/amd64/Y4MAEJ2R/var/jenkins/workspace/pfSense-Plus-snapshots-24_03-main/sources/FreeBSD-src-plus-RELENG_24_03/amd64.amd64/sys/pfSense amd64

Konstanti

@hypnosis4u2nv

May 29 10:35:44 miniupnpd 94484 ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists

Hi
I don't know if this will help or not
But, judging by the code in the kernel, this error (in fact, this is not even a global error) suggests that some program is trying to add a rule identical to the one that has already been loaded into the kernel .
in this way,in my opinion, this is not a system error, but an application that is trying to make changes to a certain ruleset

hypnosis4u2nv

@Konstanti conflict between pfblocker and suricata or my current rules conflicting with either of them?

stephenw10

More like a UPnP application in some downstream client trying to open the same port forward repeatedly.

However I would have thought miniupnpd would know that and not try to open it. Some more useful error in that situation seems likely.

hypnosis4u2nv

@stephenw10 anyway to troubleshoot this?

stephenw10

Well first I'd try disabling upnp just be sure it stops.

Then try blocking individual hosts from opening upnp forwards and see if that can be narrowed down to a single host opening conflicting ports. Though as I say I'd expect miniupnpd to see that the port is already open and just reject the request....

hypnosis4u2nv

@stephenw10 I'm away for a couple of days, I'll look into it when I get back. Thanks for your help.