Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 18 Nov 2023 19:00:23 +0100
From:      "Herbert J. Skuhra" <herbert@gojira.at>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf is broken in stable/14-n265566-4533fa42ad91 arm64
Message-ID:  <87msvbgcw8.wl-herbert@gojira.at>
In-Reply-To: <ZVjYgU_OSHEe7PmF@int21h>
References:  <ZVjYgU_OSHEe7PmF@int21h>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, 18 Nov 2023 16:30:09 +0100, void wrote:
> 
> Hi, [originally sent to freebsd-stable but on second thoughts, this should have
> gone here]
> 
> This context [1] was on stable/14-n265566 where pf worked fine. Source upgrade
> yesterday to stable/14-n265566 and pf is now broken.

???

$ git diff --shortstat 4533fa42ad91
 562 files changed, 8663 insertions(+), 3659 deletions(-)

> # service pf status
> /usr/src/sys/contrib/libnv/nvlist.c:379: Element 'halfopen_states' of type NUMBER doesn't exist.
> Abort trap (core dumped)
> 
> To try and debug, I disabled all pf-related things in rc.conf and loader.conf, and tried to
> load things manually then apply a very basic pf config file /etc/pf.basic
> 
> # kldload pf
> #
> # pfctl -nvf /etc/pf.basic
> ext_if = "genet0"
> block drop in all
> pass in on genet0 proto tcp from any to any port = ssh flags S/SA keep state
> pass out all flags S/SA keep state
> 
> # pfctl -evf /etc/pf.basic
> No ALTQ support in kernel
> ALTQ related functions disabled
> ext_if = "genet0"
> pfctl: DIOCADDRULENV: Argument list too long
> 
> When the problem was first identified, this appeared at the console on bootup:
> 
> ###
> Nov 13 12:18:05 redacted kernel: Enabling pfpfctl: DIOCADDRULENV: Argument list too long
> Nov 13 12:18:05 redacted kernel: /etc/rc: WARNING: Unable to load /etc/pf.conf.
> Nov 13 12:18:05 redacted kernel: /etc/rc: WARNING: Loading fallback rules: block drop log all
> Nov 13 12:18:05 redacted kernel: pfctl: DIOCADDRULENV: Argument list too long
> Nov 13 12:18:05 redacted kernel: /usr/src/sys/contrib/libnv/nvlist.c:379: Element 'halfopen_states' of type NUMBER doesn't exist.
> Nov 13 12:18:05 redacted kernel: Abort trap (core dumped)
> Nov 13 12:18:05 redacted kernel: .
> 
> Note the pfpfctl above

Can you try a newer revision? I think this is already fixed.
PF works fine on my Raspberry Pi 4 Model B Rev 1.2 4GB
(stable/14-n265749-51a024c42c4).

--
Herbert

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87msvbgcw8.wl-herbert>