Pfctl -k id not working?

luckman212

Today I had a situation where a DHCP WAN connection on my pfSense 2.3.2_p1 system went down and left a dangling state that was linked to an IP address that was no longer valid on my box.  This was causing an endless spamming of kernel: arpresolve: can't allocate llinfo for 100.38.20.1 on igb1 messages filling up my logs.  So I tracked the state down:

[2.3.2-RELEASE][admin@r1]/root: pfctl -ss -vv | grep -A2 100.38.20
igb1 udp 192.168.20.248:5070 (100.38.20.188:5070) <- 216.115.69.144:5060      MULTIPLE:MULTIPLE
  age 73:34:48, expires in 00:14:56, 10957:22678 pkts, 5313007:14248572 bytes, rule 117
  id: 00000000580fce02 creatorid: fcee5f8c

I found from looking at the pfctl manpage that there is a way to kill a state by its internal id# …

pfctl -k id -k <internal-id>So I tried this repeatedly:

[2.3.2-RELEASE][admin@r1]/root: pfctl -k id -k 00000000580fce02
killed 0 states

It had no effect.  Does anyone have a clue as to why this doesn't work? ???</internal-id>

luckman212

Did a bit of googling.  Found a thread from 2010 basically a guy on OpenBSD noticing the same thing
http://openbsd-archive.7691.n7.nabble.com/Can-t-kill-a-state-with-pfctl-td100879.html

So… 6 years later and no fix I guess this function just doesn't work?? Who should I even be asking?

Nullity

@luckman212:

Did a bit of googling.  Found a thread from 2010 basically a guy on OpenBSD noticing the same thing
http://openbsd-archive.7691.n7.nabble.com/Can-t-kill-a-state-with-pfctl-td100879.html

So… 6 years later an no fix I guess this function just doesn't work?? Who should I even be asking?

Maybe strace it or check the source code and see what is going on?

luckman212

@Nullity:

Maybe strace it or check the source code and see what is going on?

Above my pay grade unfortunately.

luckman212

@Nullity:

Maybe strace it or check the source code and see what is going on?

I found a relevant thread from 2014…where BBcan177 suggests using [truss](https://www.freebsd.org/cgi/man.cgi?query=truss) to debug check_reload_status.

I am not sure what the syntax for that would be…? If I had to guess:

truss -o /tmp/truss.out -aed -p

Either way, I'm not going to try just now as I have an open support case with pfSense – in case they are going to look at it I don't want to touch anything that might disturb the state.

jimp

I'm not sure I've ever tried to kill by id but it doesn't seem to work. We always kill by IP address or network in source/destination rather than by id, though.

luckman212

Hmm that's too bad- I'm not saying it's pfSense's fault (obviously isn't) but the BSD docs should really be updated if that function is non-functional. Again, does anyone know who/how to submit bugreports for these?

Back to the topic, consider the following invalid state:

igb1 udp 192.168.20.248:5070 (100.38.20.188:5070) <- 216.115.69.144:5060      MULTIPLE:MULTIPLE
  age 73:34:48, expires in 00:14:56, 10957:22678 pkts, 5313007:14248572 bytes, rule 117
  id: 00000000580fce02 creatorid: fcee5f8c

What would the correct invocation of pfctl -k be to kill it?
I have trouble deciphering the meaning of the IPs that are in parens () vs. outside of them and the <- -> arrows for some reason.

luckman212

Finally figured this out!  8)
Documentation sure could use some more examples. Apparently you need to specify the state to be killed as state_id/creator_id…..

pfctl -k id -k 00000000580fce02/fcee5f8c

Seems to work for me, at least on 2.4.

bb-mitch

@luckman212 Just in case people find this, I started a new post:
https://forum.netgate.com/topic/159884/pfsense-pfctl-bug-clicking-x-does-not-kill-states

I also have a new post on opnsense:
https://forum.opnsense.org/index.php?topic=20901.0

I will try to keep both updated. Thank you for posting your success. I LOVE it when people do that.
Can't stand when people don't follow up with their own question or just say "fixed it".
So you sir, ROCK.