Help with error: There were error(s) loading the rules: pfctl: DIOCSETREASS - The line in question reads [0]:

JBW · Mar 14, 2024, 2:12 PM

Hello!
Since I updated my Netgate PFSense version to 23.09.1 the logs are showing the above error. When I re-load the rule set. It's stopping with the same error. Going into the command line and running this: pfctl -f /tmp/rules.debug it gives this output: ptctl: DIOCSETREASS.

Have done some digging around online and can't find much other than some other users having the same issue with no resolution. I have not changed any config just updated. Is it a config error or a bug?

Thanks.

Konstanti · Mar 14, 2024, 2:23 PM

@JBW

Hi
A very interesting error
Please, show me what the command gives

uname -a

And show me, Please. the contents of the rules.debug in the part where there are lines
SCRUB ....

and
SET REASSEMBLY ....

If you look at the source code of PF (Freebsd 15), then there should be no error in initializing the SET REASSEMBLE (DIOCSETREASS) option

However , it occurs .
It seems that the kernel does not know anything about this option.

JBW · Mar 14, 2024, 2:31 PM

Here you go:
uname -a:

FreeBSD (removed)14.0-CURRENT FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:26:04 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/amd64/f2Em2w3l/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/sources/FreeBSD-src-plus-RELENG_23_05_1/amd64.amd64/sys/pfSense amd64

I think this is the output you require from rules.dbug:
@0 scrub from any to <vpn_networks:2> fragment no reassemble
[ Evaluations: 31876285400 Packets: 30875390 Bytes: 6935698 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@1 scrub from <vpn_networks:2> to any fragment no reassemble
[ Evaluations: 31845410168 Packets: 30928996 Bytes: 92583148 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@2 scrub on ix1 inet all fragment reassemble
[ Evaluations: 31814481225 Packets: 3734665330 Bytes: 1043950633534 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@3 scrub on ix1 inet6 all fragment reassemble
[ Evaluations: 6351623 Packets: 6351623 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@4 scrub on lagg0.10 inet all fragment reassemble
[ Evaluations: 28073464358 Packets: 102 Bytes: 2128 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@5 scrub on lagg0.10 inet6 all fragment reassemble
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@6 scrub on ix0.1020 inet all fragment reassemble
[ Evaluations: 28073464317 Packets: 15666106591 Bytes: 4778804457158 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@7 scrub on ix0.1020 inet6 all fragment reassemble
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@8 scrub on ix0.1021 inet all fragment reassemble
[ Evaluations: 12407357739 Packets: 32656268 Bytes: 16085084 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@9 scrub on ix0.1021 inet6 all fragment reassemble
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@10 scrub on lagg0.130 inet all fragment reassemble
[ Evaluations: 12374701513 Packets: 52382 Bytes: 2158718 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@11 scrub on lagg0.130 inet6 all fragment reassemble
[ Evaluations: 97 Packets: 97 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@12 scrub on lagg0.6 inet all fragment reassemble
[ Evaluations: 12374649161 Packets: 9379140 Bytes: 454501564 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@13 scrub on lagg0.6 inet6 all fragment reassemble
[ Evaluations: 135225 Packets: 135225 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@14 scrub on lagg0.2000 inet all fragment reassemble
[ Evaluations: 12365134826 Packets: 112238539 Bytes: 56010438796 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@15 scrub on lagg0.2000 inet6 all fragment reassemble
[ Evaluations: 166 Packets: 166 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@16 scrub on lagg0.128 inet all fragment reassemble
[ Evaluations: 12252896215 Packets: 9688975477 Bytes: 3017100822326 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@17 scrub on lagg0.128 inet6 all fragment reassemble
[ Evaluations: 19984454 Packets: 19984454 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@18 scrub on lagg0.127 inet all fragment reassemble
[ Evaluations: 2543936291 Packets: 2445984217 Bytes: 705296810105 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@19 scrub on lagg0.127 inet6 all fragment reassemble
[ Evaluations: 10356260 Packets: 10356260 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@20 scrub on lagg0.129 inet all fragment reassemble
[ Evaluations: 87595814 Packets: 69204252 Bytes: 10105070292 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@21 scrub on lagg0.129 inet6 all fragment reassemble
[ Evaluations: 20 Packets: 20 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@22 scrub on lagg0.17 inet all fragment reassemble
[ Evaluations: 18391542 Packets: 16423072 Bytes: 5022174862 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@23 scrub on lagg0.17 inet6 all fragment reassemble
[ Evaluations: 60188 Packets: 60188 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@24 scrub on lagg0.120 inet all fragment reassemble
[ Evaluations: 1908282 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]
[ Last Active Time: N/A ]
@25 scrub on lagg0.120 inet6 all fragment reassemble
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 60974 State Creations: 0 ]

I can't see anything listed for SET REASSEMBLY.

Hope that helps?

stephenw10 · Mar 14, 2024, 4:00 PM

The upgrade has not completed. You are running 23.05.1 kernel with 23.09.1 userland and pfctl is trying to do things that the running pf module doesn't know about.

Does it still offer you an upgrade? Try re-running it if so.

If not try running: pkg-static upgrade and see what upgrades it offers you.

Check the uptime on the dashboard. I assume it never rebooted?

Konstanti · Mar 14, 2024, 4:04 PM

@JBW

It's hard to say anything.
The problem is that Freebsd 14 (15) supports this option, but Freebsd 13 does not

It looks
like pfctl in this build is from Freebsd 14(15) and by default tries to initialize "SET REASSEMBLE"
and here is the pf code in kernel ..... He doesn 't seem to know anything about her.

JBW · Mar 14, 2024, 4:18 PM

@stephenw10 said in Help with error: There were error(s) loading the rules: pfctl: DIOCSETREASS - The line in question reads [0]::

pkg-static upgrade

That would make sense ( pardon the pun)

Here is the output from checking for updates ( even though on the main page it is not offering any)
Updating pfSense-core repository catalogue...
Fetching meta.conf:
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf:
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (2 candidates): .. done
Processing candidates (2 candidates): .. done
The following 2 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
curl: 8.5.0 -> 8.6.0 [pfSense]
unbound: 1.18.0_1 -> 1.19.1 [pfSense]

Number of packages to be upgraded: 2

3 MiB to be downloaded.

Proceed with this action? [y/N]:

stephenw10 · Mar 14, 2024, 4:23 PM

Hmm, those don't make any difference to pf. You can upgrade then later once you're running 23.09.1 correctly.

What does this show?: pkg-static info -x pfsense

Does the uptime indicate it never rebooted?

JBW · Mar 15, 2024, 8:57 AM

@stephenw10 said in Help with error: There were error(s) loading the rules: pfctl: DIOCSETREASS - The line in question reads [0]::

: pkg-static info -x pfsense

Here you go:

pfSense-23.09.1
pfSense-Status_Monitoring-php82-1.8_3
pfSense-base-23.09.1
pfSense-boot-23.09.1
pfSense-composer-deps-0.1
pfSense-default-config-serial-23.09.1
pfSense-kernel-pfSense-23.09.1
pfSense-pkg-Avahi-2.2_4
pfSense-pkg-Cron-0.3.8_3
pfSense-pkg-Netgate_Firmware_Upgrade-23.05.00
pfSense-pkg-WireGuard-0.2.1
pfSense-pkg-acme-0.7.5
pfSense-pkg-aws-wizard-0.10
pfSense-pkg-ipsec-profile-wizard-1.2
pfSense-pkg-tftpd-0.1.3_4
pfSense-repo-23.09.1
pfSense-repoc-20230912
pfSense-upgrade-1.2.1_1
php82-pfSense-module-0.95

I don't think it's been rebooted since its update.

stephenw10 · Mar 15, 2024, 1:37 PM

Hmm, it looks like upgraded everything and just failed to reboot for some reason. I would probably just reboot it. However be sure to have some fall back plan because failing to reboot could indicate issues that might prevent it booting. If it's a ZFS install you will have BE snapshots you can roll back to if it fails.

JBW · Mar 15, 2024, 1:48 PM

@stephenw10

Looks like just a reboot has done it. I have a backup negate box that I swapped over with the same config, so I could work on the said problem box, interestingly when SSH'd onto the unit, it was not loading the menu, but it did allow me to send the reboot command to it and after it came back up it behaved as normal - I swapped it back into the production network and all looks good. No recurrence of the error so far. Hopefully now OK.

Thanks for your help :)