I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5 GB of memory that always shows <50% used.
This setup has normally been reliable but, since upgrading to 2.1.5, today is the 4th time I've run into a problem after making changes to some aliases. For some reason that I've been unable to see much pattern to, pfSense will suddenly report a rash of errors similar to: --- [ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument - The line in question reads [0]: ] --- and/or an error indicating that it can't allocate memory (but there's over 50% reported as being available). When this happens, the following kind of error will occur during the reboot while first configuring the firewall ... --- pfi_table_update cannot set <x> new addresses into table <blah>: <x> --- where "<blah>" varies, even with the same config being rebooted, and seems to be either an interface name or "self". The error continues to recur with a considerable "blocking" pause (up to 10's of seconds) each time it (apparently) attempts a reload. I've handled this issue by restoring the most recently saved config.xml (I save these _very_ often, now!) and it's been "good to go" .. after which I can remake the changes and all has been good. However, today that strategy didn't work. After restoring the previously saved config.xml. which had been running without issues for about a day, the "pfi_table_update" problems remained after rebooting. Thinking it might be a disk-corruption and/or hardware issue, I built another system (with similar resources) and tested it. The same config fails in an equivalent way. QUESTION: Can anyone shed some light on how I might troubleshoot this issue? QUESTION: Does anyone know what's getting loaded when the message --- There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument - The line in question reads [0] --- is being issued? ... if I could see the rule that's giving the problem, maybe that'd lead somewhere useful. Other things I've done, without result ... Of course I asked Mr. Google and searched the pfSense bug tracker for pfi_table_update, all without results. I scanned the disk for an operation called pfi_table_update (find / -type f -exec fgrep -l pfi_table_update {} \;) but came up empty-handed so I assume this is not a php/pfSense routine. My first thought when it occurred was that the config.xml file had become corrupted, but I've never found any evidence of that. I've always compared the failed config to the successfully reverted config and found no clues (lately, since I save configs so often, there's only been 2 or 3 changes). The only thing that's been consistent is that the problem always "pops up" (literally!) after editing aliases and the rules are being reloaded. I'm always careful to change aliases in a way that works from the bottom of the dependencies "up" (when applicable) and, though I do have aliases that include other aliases, I doubt there's anything unusual in either structure or number of aliases I have configured (84 host/network aliases, 67 port aliases and 63 URL aliases). The only thing (related to the aliases) that may be unusual is that I have about 10 large URL tables (70K entries, each) and have things configured for 250 tables (currently <100) and 2,500,000 table entries (currently about 680K entries). It's the tables that consume memory, not states, in our case. Any ideas? <grovel, grovel> #;-) _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold