Strange error: There were error(s) loading the rules: pfctl: pfctl_rules
-
@kprovost after installing this kernel patch I was able to observe a collision of pf syscalls and it did not end up in a locked state like it did previously.
So far I'd say this patch is doing the job. -
@kprovost I have also been running with the kernel patch. It seems to have resolved the problem for me as well.
-
Is this intended as "proper" fix or just as a temporary workaround? Or asked differently: Will this be merged like this or will there be a different fix? Is there a diff available somewhere so I can see what was changed?
-
Right now these are test kernels just prove we have found the issue. Now that appears to be the case we will merge it and look at what we can do in existing 22.05 installs.
Steve
-
@flole It's a real fix, not a workaround. It's gone in upstream: https://cgit.freebsd.org/src/commit/?id=6ab80e7275091c900da8d2e84a7b0bb4c34a1e41
and I'll merge it to our local branch just as soon as this test-build finishes.
-
@kprovost would it be possible to also get the kernel patch for ARM64 as I have Netgate 2100s and a 1100 that also have this happening.
Thanks for all your help! -
@artooro We don't need any further testing on different platforms.
The fix has been merged in all relevant branches (and upstream FreeBSD) and will be present in upcoming snapshots, when they're published again. -
Apologies for bumping this relatively old thread but I'm seeing this on a new Netgate 6100 Max running pfSense+ 22.05-RELEASE. Is there a snapshot available that effectively has only this one merge included? This is a production machine so I want to keep the non-release deltas to a minimum.
-
@bblacey I don't believe so, no.
-
Any update or tutorial on this? Constantly happening on my SG-2440
-
It only affects the new layer2 rules in 22.05. The only real mitigation you can apply there is to avoid using them as far as possible. Otherwise you can upgrade to a 23.01snapshot where it's fixed. Those are not in beta yet though.
Steve
-
@stephenw What are these new layer2 rules that are causing this problem, and how do we avoid using them? I have a firewall in production that constantly has this error, causing all sorts of problems for the client.
-
@lukeskyscraper Only the captive portal feature uses layer 2 rules. Disabling captive portal should mean you won't run into the issue again.
-
@kprovost I encountered the issue several times and I do not use captive portal at all (not even configured).
-
@chrisjenk That's somewhat unexpected. It may be worth testing a 23.01 snapshot to confirm it fixes the issue for you as well, but there's no other workaround.
-
@kprovost I don't use any captive portal features either. I do use Adam:ONE though, as well as pfBlocker for geo IP lists. Yesterday I got this firewall to reload its filter by disabling pfBlocker, reloading, then re-enabling it afterwards. But... it seems to be a different fix, every time this problem happens. Sometimes a reboot works, sometimes it works to backup and restore the full configuration, and this time it was pfblocker.
I hope 23.01 becomes available soon. It would be nice if they Netgate would put this fix out as a patch in the meantime...
-
@kprovost I ran into this and don't have a captive portal either. My configuration is pretty much the same that I have been using since 2.4.5, so not using any "new" features. I have not seen the issue recur since applying the kernel patch though.
-
@lukeskyscraper what kind of hardware are you using? There is a patch for Intel and some ARM devices, which has been working for us.
-
Yeah, there is a test kernel for 2205 still available earlier in this thread. It was very much for testing only but it might be a good test if you're hitting it without any layer2 rules.
Because this is a compiled in-kernel change it's not something we can release as a run-time patch. It would require a complete point release.
23.01 snapshots are currently available. Although right now there is some back end work happening which might mean they are not for while today.
Steve
-
@artooro This particular box is a Netgate 7100, so if there's an intel patch available, I'd be happy to try it.