Project

General

Profile

Actions

Bug #13408

closed

PF can fail to load a new ruleset

Added by Steve Wheeler over 1 year ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
All

Description

In some circumstances pfctl fails to load the rulset after it's updated. It shows errors like:

There were error(s) loading the rules: pfctl: pfctl_rules - The line in question reads [0]: @ 2022-08-04 19:43:08

The ruleset file, /tmp/rules.debug, appears correctly populated.

Trying to load the ruleset manually with verbose logging shows on the same error and not the expected rule list.

Trussing pfctl shows only that is cannot access pf to load the rules after boot:

ioctl(3,DIOCXBEGIN,0xbfbfd9d0) ERR#16 'Device busy'

Most users who have seen this have rebooted and loaded the ruleset successfully but not all.

This is not only immediately after upgrade where there may be components of the previous release still present.

See: https://forum.netgate.com/topic/173923/strange-error-there-were-error-s-loading-the-rules-pfctl-pfctl_rules/

We are seeing this in 22.05-rel but have previously seen similar errors in 2.7 snapshots

Actions #1

Updated by Kristof Provost over 1 year ago

  • Status changed from New to Ready To Test

This will be fixed by https://cgit.freebsd.org/src/commit/?id=6ab80e7275091c900da8d2e84a7b0bb4c34a1e41
I've also merged it into devel-12 as b2f21e9050cd2748afc721ee8e41a5fcbf5973ed

Actions #2

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #3

Updated by Jim Pingle over 1 year ago

  • Status changed from Ready To Test to Feedback
  • Assignee set to Kristof Provost
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle over 1 year ago

  • Subject changed from pfctl can fail to load a new ruleset. to PF can fail to load a new ruleset
Actions #5

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

I haven't seen this happen (or any reports of it happening) on snapshots since the fix went in.

Actions #6

Updated by Jim Pingle 10 months ago

  • Affected Version set to 2.7.0
Actions

Also available in: Atom PDF