I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5
GB of memory that always shows <50% used.
This setup has normally been reliable but, since upgrading to 2.1.5, today is
the 4th time I've run into a problem after making changes to some aliases. For
some reason that I've been unable to see much pattern to, pfSense will suddenly
report a rash of errors similar to:
---
[ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument -
The line in question reads [0]: ]
---
and/or an error indicating that it can't allocate memory (but there's over 50%
reported as being available).
When this happens, the following kind of error will occur during the reboot
while first configuring the firewall ...
---
pfi_table_update cannot set <x> new addresses into table <blah>: <x>
---
where "<blah>" varies, even with the same config being rebooted, and seems to
be either an interface name or "self". The error continues to recur with a
considerable "blocking" pause (up to 10's of seconds) each time it (apparently)
attempts a reload.
I've handled this issue by restoring the most recently saved config.xml (I save
these _very_ often, now!) and it's been "good to go" .. after which I can
remake the changes and all has been good.
However, today that strategy didn't work. After restoring the previously saved
config.xml. which had been running without issues for about a day, the
"pfi_table_update" problems remained after rebooting.
Thinking it might be a disk-corruption and/or hardware issue, I built another
system (with similar resources) and tested it. The same config fails in an
equivalent way.
QUESTION: Can anyone shed some light on how I might troubleshoot this issue?
QUESTION: Does anyone know what's getting loaded when the message
---
There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument -
The line in question reads [0]
---
is being issued? ... if I could see the rule that's giving the problem, maybe
that'd lead somewhere useful.
Other things I've done, without result ...
Of course I asked Mr. Google and searched the pfSense bug tracker for
pfi_table_update, all without results.
I scanned the disk for an operation called pfi_table_update
(find / -type f -exec fgrep -l pfi_table_update {} \;)
but came up empty-handed so I assume this is not a php/pfSense routine.
My first thought when it occurred was that the config.xml file had become
corrupted, but I've never found any evidence of that. I've always compared the
failed config to the successfully reverted config and found no clues (lately,
since I save configs so often, there's only been 2 or 3 changes). The only
thing that's been consistent is that the problem always "pops up" (literally!)
after editing aliases and the rules are being reloaded.
I'm always careful to change aliases in a way that works from the bottom of the
dependencies "up" (when applicable) and, though I do have aliases that include
other aliases, I doubt there's anything unusual in either structure or number
of aliases I have configured (84 host/network aliases, 67 port aliases and 63
URL aliases).
The only thing (related to the aliases) that may be unusual is that I have
about 10 large URL tables (70K entries, each) and have things configured for
250 tables (currently <100) and 2,500,000 table entries (currently about 680K
entries). It's the tables that consume memory, not states, in our case.
Any ideas? <grovel, grovel> #;-)
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
