From nobody Sat Nov 18 18:00:23 2023 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SXhQC1CXKz51PyH for ; Sat, 18 Nov 2023 18:00:35 +0000 (UTC) (envelope-from herbert@gojira.at) Received: from mail.bsd4all.net (mail.bsd4all.net [94.130.200.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail.bsd4all.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SXhQ92JVdz3Wvb for ; Sat, 18 Nov 2023 18:00:33 +0000 (UTC) (envelope-from herbert@gojira.at) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gojira.at header.s=mail202005 header.b="wnBTrmy/"; spf=pass (mx1.freebsd.org: domain of herbert@gojira.at designates 94.130.200.20 as permitted sender) smtp.mailfrom=herbert@gojira.at; dmarc=none Date: Sat, 18 Nov 2023 19:00:23 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gojira.at; s=mail202005; t=1700330425; bh=it3CVad3eXpHi9a6arg7dxiK5cKPrYNnFSCDyQun0cI=; h=Date:Message-ID:From:To:Subject:MIME-Version:Content-Type; b=wnBTrmy/FMbCK0HvlPUlklKHnfwxNvoT0OJL8eVeVEDr8Q0hMtPSyRddog84rqqj2 9Ehe4RyUaev+eZf7XjNC6MiaB+xN7ggAULyUxOPKRogZ0yuLWc+YfwDEYO2YFVjUhb BxtjiMqtDr+8rv4KZRZHBxdWSmIOh2sd8O/ZT4vOnoYwFxw/lMglP7snajr7gr6YxY NFnGxQSrHsno5J0GcdGd6OV3hMejGUVIZtzt0q8j88cDdEn2ioy7+MqCGNIiSVpF5y F3BgiyCdp8VCUHpcntfIg9gjiqk+dPPFOYCkS2ebInPYfu1rQA5lr5zfwPcBQ8IAPx X3G2wEg3rIEJg== Message-ID: <87msvbgcw8.wl-herbert@gojira.at> From: "Herbert J. Skuhra" To: freebsd-pf@freebsd.org Subject: Re: pf is broken in stable/14-n265566-4533fa42ad91 arm64 In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/29.1 Mule/6.0 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Spamd-Result: default: False [-2.50 / 15.00]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip4:94.130.200.20]; R_DKIM_ALLOW(-0.20)[gojira.at:s=mail202005]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; DKIM_TRACE(0.00)[gojira.at:+]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[gojira.at]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:24940, ipnet:94.130.0.0/16, country:DE] X-Rspamd-Queue-Id: 4SXhQ92JVdz3Wvb X-Spamd-Bar: -- On Sat, 18 Nov 2023 16:30:09 +0100, void wrote: > > Hi, [originally sent to freebsd-stable but on second thoughts, this should have > gone here] > > This context [1] was on stable/14-n265566 where pf worked fine. Source upgrade > yesterday to stable/14-n265566 and pf is now broken. ??? $ git diff --shortstat 4533fa42ad91 562 files changed, 8663 insertions(+), 3659 deletions(-) > # service pf status > /usr/src/sys/contrib/libnv/nvlist.c:379: Element 'halfopen_states' of type NUMBER doesn't exist. > Abort trap (core dumped) > > To try and debug, I disabled all pf-related things in rc.conf and loader.conf, and tried to > load things manually then apply a very basic pf config file /etc/pf.basic > > # kldload pf > # > # pfctl -nvf /etc/pf.basic > ext_if = "genet0" > block drop in all > pass in on genet0 proto tcp from any to any port = ssh flags S/SA keep state > pass out all flags S/SA keep state > > # pfctl -evf /etc/pf.basic > No ALTQ support in kernel > ALTQ related functions disabled > ext_if = "genet0" > pfctl: DIOCADDRULENV: Argument list too long > > When the problem was first identified, this appeared at the console on bootup: > > ### > Nov 13 12:18:05 redacted kernel: Enabling pfpfctl: DIOCADDRULENV: Argument list too long > Nov 13 12:18:05 redacted kernel: /etc/rc: WARNING: Unable to load /etc/pf.conf. > Nov 13 12:18:05 redacted kernel: /etc/rc: WARNING: Loading fallback rules: block drop log all > Nov 13 12:18:05 redacted kernel: pfctl: DIOCADDRULENV: Argument list too long > Nov 13 12:18:05 redacted kernel: /usr/src/sys/contrib/libnv/nvlist.c:379: Element 'halfopen_states' of type NUMBER doesn't exist. > Nov 13 12:18:05 redacted kernel: Abort trap (core dumped) > Nov 13 12:18:05 redacted kernel: . > > Note the pfpfctl above Can you try a newer revision? I think this is already fixed. PF works fine on my Raspberry Pi 4 Model B Rev 1.2 4GB (stable/14-n265749-51a024c42c4). -- Herbert