On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote: > On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote: > > The issue occurred first two years ago, after upgrade from 8 to 9 > > branch. Now this i386 machine is running 11.0-STABLE and despite it was > > compiled with "WITHOUT_ASSERT_DEBUG=yes", still from time to time > > message buffer is fed with: > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > pfr_update_stats: assertion failed. > > These messages are still filling system message buffer. According to > pfctl (8) there is nothing wrong with incrementing "XPass" counters > instead of the "Pass" counters. The message "pfr_update_stats: assertion > failed" is printed for debugging purposes only. One could also compare > the counters with the command "pfctl -sT -vv". > > OpenBSD converted printf()'s to DPFDEBUG() macro in their sources almost > 8 years ago. Only this printf() in pf_table.c has been converted to the > level of LOG_DEBUG [1]. > > Perhaps this line of code could be removed from FreeBSD PF sources? >
The previous patch was hastily prepared. It should rather look like this: --- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200 +++ sys/netpfil/pf/pf_table.c 2018-06-23 18:17:49.353490000 +0200 @@ -1984,9 +1984,7 @@ panic("%s: unknown address family %u", __func__, af); } - if ((ke == NULL || ke->pfrke_not) != notrule) { - if (op_pass != PFR_OP_PASS) - printf("pfr_update_stats: assertion failed.\n"); + if ((ke == NULL || ke->pfrke_not) != notrule) op_pass = PFR_OP_XPASS; - } kt->pfrkt_packets[dir_out][op_pass]++; kt->pfrkt_bytes[dir_out][op_pass] += len; -- Marek Zarychta
signature.asc
Description: PGP signature