Re: "Unknown error" message from pfctl on an existing table

Reply: Alexander Leidinger : "Re: "Unknown error" message from pfctl on an existing table"
In reply to: Alexander Leidinger : "Re: "Unknown error" message from pfctl on an existing table"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 20 Sep 2024 10:27:30 UTC

On 20 Sep 2024, at 11:21, Alexander Leidinger wrote:
> Am 2024-09-20 12:00, schrieb Kristof Provost:
>> On 20 Sep 2024, at 10:50, Alexander Leidinger wrote:
>>> Hi,
>>>
>>> # pfctl -s Tables
>>> bruteforce
>>> crowdsec-blocklists
>>> crowdsec6-blocklists
>>> martians
>>> martians6
>>>
>>> # pfctl -t crowdsec-blocklists -T show
>>> pfctl: Unknown error: -1.
>>>
>>> What could be the cause of this error?
>> The next debugging step would be to use ‘truss’ to see what call fails.
>
> When I list a working table (crowdsec6-blocklists):
> ---snip---
> openat(AT_FDCWD,"/dev/pf",O_RDONLY,00)           = 3 (0x3)
> ioctl(3,DIOCGETALTQSV1,0x233eb87dbe0)            ERR#19 'Operation not supported by device'
> openat(AT_FDCWD,"/dev/pf",O_RDWR,00)             = 4 (0x4)
> socket(PF_NETLINK,SOCK_RAW,16)                   = 5 (0x5)
> setsockopt(5,270,11,0x233eb87db7c,4)             = 0 (0x0)
> getsockopt(5,SOL_SOCKET,SO_RCVBUF,0x233eb87db74,0x233eb87db78) = 0 (0x0)
> ioctl(3,DIOCRGETADDRS,0x233eb87d240)             = 0 (0x0)
> ioctl(3,DIOCRGETADDRS,0x233eb87d240)             = 0 (0x0)
> fstat(1,{ mode=-rw-r--r-- ,inode=6897,size=7721,blksize=24064 }) = 0 (0x0)
>    2001:620:20d0::24
>    2001:67c:6ec:203:192:42:116:173
>    2001:67c:6ec:203:192:42:116:174
> ---snip---
>
> When I list the non-working table (crowdsec-blocklists):
> ---snip---
> openat(AT_FDCWD,"/dev/pf",O_RDONLY,00)           = 3 (0x3)
> ioctl(3,DIOCGETALTQSV1,0x19fc93899a90)           ERR#19 'Operation not supported by device'
> openat(AT_FDCWD,"/dev/pf",O_RDWR,00)             = 4 (0x4)
> socket(PF_NETLINK,SOCK_RAW,16)                   = 5 (0x5)
> setsockopt(5,270,11,0x19fc93899a2c,4)            = 0 (0x0)
> getsockopt(5,SOL_SOCKET,SO_RCVBUF,0x19fc93899a24,0x19fc93899a28) = 0 (0x0)
> ioctl(3,DIOCRGETADDRS,0x19fc938990f0)            = 0 (0x0)
> ioctl(3,DIOCRGETADDRS,0x19fc938990f0)            ERR#22 'Invalid argument'
> issetugid()                                      = 0 (0x0)
> ---snip---
>
That’s not the error code I see for a non-existent table, so it’s not quite the same issue.

DIOCRGETADDRS returns EINVAL, which is probably because the table is running into the net.pf.request_maxcount limit. Try increasing that sysctl.

That limitation will go away when I get around to converting that particular ioctl to netlink, but that probably won’t be today. I still hope to get all of them converted before we branch 15, but that’s a hope and not a promise.

In the mean time I’ll improve libpfctl so we get an actual error message printed in pfctl, rather than ‘unknown error’.

>> I can reproduce the error message attempting to list a table that doesn’t exist.
>
> Well... at least it shows up in the list of tables...
>
>> There’s been a bug with table name length: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279225 so perhaps that’s what you’re running into.
>
> I can list crowdsec6-blocklists, but not crowdsec-blocklists. This is current as of 2024-09-05-105247. After looking at the PR, I should run a FreeBSD version which is not affected by this. Correct?
>
Correct.

Best regards,
Kristof