There error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy
-
Hi there,
Apologies - I'm not sure whether this goes in the IPv6 section or the 2.1 section, so please move it if req'd.
I'm getting this error message on reboot of my 2.1 gateway:
There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]
My search reveals a similar thread for 2.0 snapshots back in 2010 - but that didn't get followed up.
My gateway has pfBlocker and a tunnel broker connection. The above error only appears since adding the tunnel broker IPv6 tunnel. It didn't appear before. The message appears in the system logs, but with no other information.
Everything appears to work, but obviously something's wrong…
Any help would be very appreciated.
Thanks,
Simon
-
Just to add to this - I've since rebuilt the whole firewall from scratch using the latest snapshot and it continues to do it. I didn't import my previous config, I rebuilt it manually. And it only started doing it after creating my HE.net tunnel.
Thanks.
-
Do you run any proxy software(package) on your installation?
-
@ermal:
Do you run any proxy software(package) on your installation?
Hi there,
Thanks for the reply.
Nope, no proxy.
It's an AMD64 install, 4GB RAM on a D2500CC. DHCP Wan IP from my ISP, pfBlocker installed on top of that, and then finally the IPv6 tunnel to tunnelbroker.net (he.net). Pretty straight forward I think. :)
Simon
-
A quick update after some testing this evening that I've done.
I had a statically assigned DHCP reservation from my ISP. I've taken this and set my WAN interface to be that actual static IP, using the same address and gateway information. Now when I reboot I no longer get the error.
It appears that perhaps the IPv6 tunnel is having some difficulty in attaching to an interface that hasn't got it's address yet? Maybe?
Although the system logs suggest that the WAN interface has the IPv4 address by that point, but I'm not sure. Will gladly upload logs if it'll help further?
Thanks,
Simon
-
Hmmm, another update. Sorry for appearing to spam this but I'm genuinely not!
Anyway, it appears that after my ISP (O2 UK) made some changes on the network last week, the way that my static IP address is handled has changed. Whereas before I set my static IP address manually, now they say that I have to use DHCP, where I will be assigned a reservation. I guess I've just worked out why.
So, after my 'fix' above of changing to a static IP on the WAN, the connection totally drops out after 30 minutes. A reboot doesn't sort it - the only thing that will sort it is going back to DHCP on the WAN. I guess the ISP is looking for the DHCP lease request, and if it doesn't get it then assumes the connection is down - or other such weirdness.
Anyway, it leads me back around to what started this thread. In DHCP mode on the WAN I'm getting this strange error (thread title).
Any more ideas are gratefully appreciated
Thanks,
Simon
-
Have you tried disabling pfBlocker and see if that fixes it?
-
@ermal:
Have you tried disabling pfBlocker and see if that fixes it?
Yup, I've tried that. Indeed, it disables itself when updating to the new snapshots that are released.
But do you mean just disabling it, or disabling all the aliased rules I have too?
-
Disable the package and the rules that reference aliases from it.
-
@ermal:
Disable the package and the rules that reference aliases from it.
Thanks - I'll try that tonight when I get home.
Is it enough to disable the rules, or do I actually have to delete them?
-
Just disable them.
Though the most important are the aliases content in this case. -
Hi,
Well that's interesting - I've just taken a gamble and done it remotely from the office.
I disabled the rules, then disabled pfBlocker and no error on reboot! Very strange.
So,
IPv6 tunnel ON, pfBlocker OFF, DHCP WAN address = No error
IPv6 tunnel ON, pfBlocker ON, Static WAN address = No error
IPv6 tunnel OFF, pfBlocker On, DHCP WAN address = No error
IPv6 tunnel ON, pfBlocker On, DHCP WAN address = error!So disabling any of pfBlocker, IPv6, or the DHCP address stops the error… I've very confused.
Thanks for your help so far
Simon
-
Me again! :)
OK, done some more testing.
With all the rules used for pfBlocker disabled, I then disabled all the individual lists that I load. Reboot - no error. Then one by one turned them back on, and once we got to the larger lists (then rebooting) it started to get the error again.
So putting together this, along with the post above, it just seems that a combination of things make the 'timeout' get reached, and for the error to occur, including adding larger lists into pfBlocker.
Is there a configurable option somewhere to set this timeout or to see in more detail as to what's 'failing'?
Thanks,
Simon
-
No its a pfblocker fault here on how it does things.
-
Thanks for that :) I'll ask pfBlocker guy to look at it
One last thing - are you sure, considering that I don't get this error just by disabling my IPv6 tunnel?
Many thanks for all your help
Simon
-
For me, this problem went away after I set "Top Spammers" to Disabled. All my other lists are still active.