Strange error: There were error(s) loading the rules: pfctl: pfctl_rules
-
@stephenw What are these new layer2 rules that are causing this problem, and how do we avoid using them? I have a firewall in production that constantly has this error, causing all sorts of problems for the client.
-
@lukeskyscraper Only the captive portal feature uses layer 2 rules. Disabling captive portal should mean you won't run into the issue again.
-
@kprovost I encountered the issue several times and I do not use captive portal at all (not even configured).
-
@chrisjenk That's somewhat unexpected. It may be worth testing a 23.01 snapshot to confirm it fixes the issue for you as well, but there's no other workaround.
-
@kprovost I don't use any captive portal features either. I do use Adam:ONE though, as well as pfBlocker for geo IP lists. Yesterday I got this firewall to reload its filter by disabling pfBlocker, reloading, then re-enabling it afterwards. But... it seems to be a different fix, every time this problem happens. Sometimes a reboot works, sometimes it works to backup and restore the full configuration, and this time it was pfblocker.
I hope 23.01 becomes available soon. It would be nice if they Netgate would put this fix out as a patch in the meantime...
-
@kprovost I ran into this and don't have a captive portal either. My configuration is pretty much the same that I have been using since 2.4.5, so not using any "new" features. I have not seen the issue recur since applying the kernel patch though.
-
@lukeskyscraper what kind of hardware are you using? There is a patch for Intel and some ARM devices, which has been working for us.
-
Yeah, there is a test kernel for 2205 still available earlier in this thread. It was very much for testing only but it might be a good test if you're hitting it without any layer2 rules.
Because this is a compiled in-kernel change it's not something we can release as a run-time patch. It would require a complete point release.
23.01 snapshots are currently available. Although right now there is some back end work happening which might mean they are not for while today.
Steve
-
@artooro This particular box is a Netgate 7100, so if there's an intel patch available, I'd be happy to try it.
-
@lukeskyscraper ok try these commands in an SSH prompt
rm -r /boot/kernel.old mv /boot/kernel /boot/kernel.old curl -o /tmp/kernel.tar.bz2 https://people.freebsd.org/~kp/kernel.tar.bz2 tar -xjf /tmp/kernel.tar.bz2 -C /bootAnd then reboot
Make sure you have a config backup in case it goes wrong.
-
And an install image. Preferably on a USB drive ready to go.
-
@artooro Awesome thanks. The firewall is remote, at a site we visit weekly. If this issue crops up again by next week, then I'll try this kernel while someone is on site.
-
@artooro can this also be tested on SG-2440 (Intel)?
-
G Gertjan referenced this topic on Nov 21, 2022, 7:51 AM
-
Yes, it will work on any amd64 device, they all share the same 22.05 kernel.
-
S stephenw10 referenced this topic on Dec 19, 2022, 1:47 PM
-
Hello colleagues,
I am skim-reading this thread. Is this problem (https://redmine.pfsense.org/issues/13408) resolved in 23.01 (I am Plus with 7100-DT)? I was affected by discussed problem too and so far reboots always helped (we do not change rules very often).
I did not check much, but prior last reboot/problem I can confirm that /tmp/rules.debug was quite large file (non-empty / 346 lines in my case). Status / Filter Reload was bringing errors at the time of "problem", until router rebooted.
Did I understand correctly that for 22.05 Plus there is kernel fix that should manually be applied? I think I can live little longer with reboots, but would like to confirm that it was fixed in 23.01.
Sorry for bringing this thread from ashes.
BTW. I am not using Captive Portal and 6to4 tunnels too.
Kind regards
Pawel -
There was a test kernel that contained the fix for 22.05 but at this point it's better to test 23.01 if you can. If you're running ZFS you can always roll back the BE snap to 22.05 if required.