Pfctl -k id not working?



  • Today I had a situation where a DHCP WAN connection on my pfSense 2.3.2_p1 system went down and left a dangling state that was linked to an IP address that was no longer valid on my box.  This was causing an endless spamming of kernel: arpresolve: can't allocate llinfo for 100.38.20.1 on igb1 messages filling up my logs.  So I tracked the state down:

    [2.3.2-RELEASE][admin@r1]/root: pfctl -ss -vv | grep -A2 100.38.20
    igb1 udp 192.168.20.248:5070 (100.38.20.188:5070) <- 216.115.69.144:5060      MULTIPLE:MULTIPLE
      age 73:34:48, expires in 00:14:56, 10957:22678 pkts, 5313007:14248572 bytes, rule 117
      id: 00000000580fce02 creatorid: fcee5f8c

    I found from looking at the pfctl manpage that there is a way to kill a state by its internal id# …

    pfctl -k id -k <internal-id>So I tried this repeatedly:

    [2.3.2-RELEASE][admin@r1]/root: pfctl -k id -k 00000000580fce02
    killed 0 states

    It had no effect.  Does anyone have a clue as to why this doesn't work? ???</internal-id>



  • Did a bit of googling.  Found a thread from 2010 basically a guy on OpenBSD noticing the same thing
    http://openbsd-archive.7691.n7.nabble.com/Can-t-kill-a-state-with-pfctl-td100879.html

    So… 6 years later and no fix I guess this function just doesn't work?? Who should I even be asking?



  • @luckman212:

    Did a bit of googling.  Found a thread from 2010 basically a guy on OpenBSD noticing the same thing
    http://openbsd-archive.7691.n7.nabble.com/Can-t-kill-a-state-with-pfctl-td100879.html

    So… 6 years later an no fix I guess this function just doesn't work?? Who should I even be asking?

    Maybe strace it or check the source code and see what is going on?



  • @Nullity:

    Maybe strace it or check the source code and see what is going on?

    Above my pay grade unfortunately.



  • @Nullity:

    Maybe strace it or check the source code and see what is going on?

    I found a relevant thread from 2014…where BBcan177 suggests using [truss](https://www.freebsd.org/cgi/man.cgi?query=truss) to debug check_reload_status.

    I am not sure what the syntax for that would be…? If I had to guess:

    truss -o /tmp/truss.out -aed -p

    Either way, I'm not going to try just now as I have an open support case with pfSense – in case they are going to look at it I don't want to touch anything that might disturb the state.


  • Rebel Alliance Developer Netgate

    I'm not sure I've ever tried to kill by id but it doesn't seem to work. We always kill by IP address or network in source/destination rather than by id, though.



  • Hmm that's too bad- I'm not saying it's pfSense's fault (obviously isn't) but the BSD docs should really be updated if that function is non-functional. Again, does anyone know who/how to submit bugreports for these?

    Back to the topic, consider the following invalid state:

    igb1 udp 192.168.20.248:5070 (100.38.20.188:5070) <- 216.115.69.144:5060      MULTIPLE:MULTIPLE
      age 73:34:48, expires in 00:14:56, 10957:22678 pkts, 5313007:14248572 bytes, rule 117
      id: 00000000580fce02 creatorid: fcee5f8c

    What would the correct invocation of pfctl -k be to kill it?
    I have trouble deciphering the meaning of the IPs that are in parens () vs. outside of them and the <- -> arrows for some reason.



  • Finally figured this out!  8)
    Documentation sure could use some more examples. Apparently you need to specify the state to be killed as state_id/creator_id…..

    pfctl -k id -k 00000000580fce02/fcee5f8c
    

    Seems to work for me, at least on 2.4.