PF was wedged/busy and has been reset.
-
This is happening every day! vmware esxi 6, with 3 vmxnet3 ethernet cards
Version 2.3.2-RELEASE-p1 (amd64) FreeBSD 10.3-RELEASE-p9
The system is on the latest version.
CPU Type Intel(R) Xeon(R) CPU E5-2667 v2 @ 3.30GHz
4 CPUs: 4 package(s) x 1 core(s)
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
Uptime 58 Days 06 Hours 33 Minutes 38 Seconds
State table size 10% (26204/250000) Show states
MBUF Usage 29% (7600/26584)
Load average 1.22, 1.25, 1.33
CPU usage 19%
Memory usage 23% of 2013 MiB
SWAP usage 0% of 4096 MiB
Disk usage ( / ) 3% of 35GiB - ufs
Disk usage ( /var/run ) 7% of 3.4MiB - ufs in RAMNotices
pf_busyPF was wedged/busy and has been reset. @ 2017-02-16 14:38:49
PF was wedged/busy and has been reset. @ 2017-02-16 15:10:32
PF was wedged/busy and has been reset. @ 2017-02-16 15:23:22
PF was wedged/busy and has been reset. @ 2017-02-17 14:00:53
PF was wedged/busy and has been reset. @ 2017-02-17 14:22:27
PF was wedged/busy and has been reset. @ 2017-02-17 15:14:50Filter Reload
There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy - The line in question reads [0]: @ 2017-02-16 14:38:50
There were error(s) loading the rules: pfctl: DIOCADDADDR: Device busy - The line in question reads [0]: @ 2017-02-16 15:10:33
There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy - The line in question reads [0]: @ 2017-02-16 15:23:23
There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy - The line in question reads [0]: @ 2017-02-17 14:00:54
There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy - The line in question reads [0]: @ 2017-02-17 14:22:28
There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy - The line in question reads [0]: @ 2017-02-17 15:14:51
-
It means, more or less, what it says. Something had a lock on pf when something else tried to reload the ruleset.
That isn't usually very common, but if you have something constantly polling pf data like reloading the state table contents repeatedly with a large state table, it could happen.
-
So how is this fixed? I didn't have any problems with my setup until after I enabled IPV6 with the Hurricane Electric setup. Now I have 42 or more notices every time I check my dashboard. It's always the same message. I have, after seeing this error, attempted to remove and unset EVERYTHING that had ANYTHING to do with IPV6. Nothing has resolved the problem. I have scoured the forums, the general web, and it seems to be persistent for those of us who have the issue. I have done everything short of rebuilding the entire firewall to no avail. I would prefer to actually correct this issue "the right way," instead of just wiping and reinstalling.
I have only forwarding rules. I haven't installed any packages. Having poured through the forms relative these errors, I have concluded that this is an issue unrelated to hardware platform as there are even people reporting this issue with the "appliances," you can buy directly.
PF was wedged/busy and has been reset. @ 2017-03-10 08:48:31
There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: @ 2017-03-10 08:48:32Thanks for reading my post.
-
Anyone?
-
You showed the error.
Can you show any relevant log lines when such an error happens - and 10, 20 logs lines before that ?
-
I have attached a screen capture of what I see. I've gone through each link on the logs page and find nothing matching DIOCXCOMMIT on any of them so I'm unable to reply with your requested information.
-
I have found a couple more instances where the firewall was set to recognize the IPV6. First it was in the LAN rules list, and then again in my DNS settings. I have removed them and restarted, I hope that this corrects the issue.
Eventually, (as in sooner over later,) I'm going to have to master this IPV6 stuff. I've got a significantly better understanding than I had, but… I have disabled all of it in hopes to return to a state that I didn't get that DIOCXCOMMIT error message.
I suspect I missed, or mistyped, something along my configuration path. When I have more time, I'll actually attempt to reconfigure the HE IPV6 tunnel.
Thanks again for reviewing this issue.
-
So far so good… no reported issue with the wedged/busy error. But now I'm finding unbound is crashing. I have noticed IPV6 entries in "Services -> DNS Resolver -> General Settings" in Network Interfaces and Outgoing Network Interfaces. I haven't been able to figure out how to remove those entries.
Unbound is reporting "error: cannot chdir to directory: (No such file or directory)." I'm finding it crashed throughout the day.
Mar 26 21:59:47 unbound 67080:0 info: [25%]=0 median[50%]=0 [75%]=0 Mar 26 21:59:47 unbound 67080:0 info: lower(secs) upper(secs) recursions Mar 26 21:59:47 unbound 67080:0 info: 0.262144 0.524288 1 Mar 26 21:59:47 unbound 67080:0 notice: Restart of unbound 1.6.0. Mar 26 21:59:47 unbound 67080:0 error: cannot chdir to directory: (No such file or directory) Mar 26 21:59:47 unbound 67080:0 notice: init module 0: validator Mar 26 21:59:47 unbound 67080:0 notice: init module 1: iterator Mar 26 21:59:47 unbound 67080:0 info: start of service (unbound 1.6.0). Mar 26 21:59:47 unbound 67080:0 info: service stopped (unbound 1.6.0). Mar 26 21:59:47 unbound 67080:0 info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch Mar 26 21:59:47 unbound 67080:0 info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 Mar 26 21:59:47 unbound 67080:0 info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch Mar 26 21:59:47 unbound 67080:0 info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0 Mar 26 21:59:47 unbound 67080:0 notice: Restart of unbound 1.6.0. Mar 26 21:59:47 unbound 67080:0 error: cannot chdir to directory: (No such file or directory) Mar 26 21:59:47 unbound 67080:0 notice: init module 0: validator Mar 26 21:59:47 unbound 67080:0 notice: init module 1: iterator Mar 26 21:59:47 unbound 67080:0 info: start of service (unbound 1.6.0)I'm not familiar enough with what I'm reading to know what it means yet. I've found a couple of other threads but they're not clear enough on what to do to resolve the issue.
-
I have turned off the "forwarder," in "services -> DNS resolver," and that seems to have completely stabilized my firewall. No more notifications, no more errors, no more crashes (so far).
