Problem reports for p...@freebsd.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- Open|203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pfr_update_stats: assertion failed.
On 24 Jun 2018, at 21:07, Marek Zarychta wrote: On Sun, Jun 24, 2018 at 01:56:07PM +0200, Kristof Provost wrote: On 23 Jun 2018, at 18:46, Marek Zarychta wrote: On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote: On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote: The issue occurred first two years ago, after upgrade from 8 to 9 branch. Now this i386 machine is running 11.0-STABLE and despite it was compiled with "WITHOUT_ASSERT_DEBUG=yes", still from time to time message buffer is fed with: pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. These messages are still filling system message buffer. According to pfctl (8) there is nothing wrong with incrementing "XPass" counters instead of the "Pass" counters. The message "pfr_update_stats: assertion failed" is printed for debugging purposes only. One could also compare the counters with the command "pfctl -sT -vv". OpenBSD converted printf()'s to DPFDEBUG() macro in their sources almost 8 years ago. Only this printf() in pf_table.c has been converted to the level of LOG_DEBUG [1]. Perhaps this line of code could be removed from FreeBSD PF sources? The previous patch was hastily prepared. It should rather look like this: --- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200 +++ sys/netpfil/pf/pf_table.c 2018-06-23 18:17:49.35349 +0200 @@ -1984,9 +1984,7 @@ panic("%s: unknown address family %u", __func__, af); } - if ((ke == NULL || ke->pfrke_not) != notrule) { - if (op_pass != PFR_OP_PASS) - printf("pfr_update_stats: assertion failed.\n"); + if ((ke == NULL || ke->pfrke_not) != notrule) op_pass = PFR_OP_XPASS; - } kt->pfrkt_packets[dir_out][op_pass]++; kt->pfrkt_bytes[dir_out][op_pass] += len; We could delete those lines and that’d get rid of the dmesg noise, but I’m a bit worried that this demonstrates an actual problem. It’s not at all clear to me what’s going on in this bit of the code, and the OpenBSD repo doesn’t have any information about it either. This machine acts as a NAT/firewall gateway for about a hundred users. A few hundred of PF rules + 20 tables are used. The error appeared suddenly after upgrade from 8-STABLE to 10-STABLE 3 years ago. It never occurred when the firewall run PF on 8-STABLE. I don't remember whether firewall rules were changed at that time. If it is true then changes concerned only the compatibility with the newer version of PF. If it demonstrates an actual problem, then, please give me a clue how to debug it. On the other hand, ~6 years ago PF was significantly reworked. Is this piece of code still relevant there? I honestly don’t know. I’d be good to actually investigate this before simply removing the warning. Unfortunately I just don’t have the time to dig into this right now. The only thing I can suggest is to look at the code and work out where the op_pass value comes from (and perhaps also what it’s used for. Why is PRF_OP_XPASS better than !PFR_OP_PASS? It’s still present (though perhaps not logged) in OpenBSD too. Regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pfr_update_stats: assertion failed.
On Sun, Jun 24, 2018 at 01:56:07PM +0200, Kristof Provost wrote: > On 23 Jun 2018, at 18:46, Marek Zarychta wrote: > > On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote: > >> On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote: > >>> The issue occurred first two years ago, after upgrade from 8 to 9 > >>> branch. Now this i386 machine is running 11.0-STABLE and despite it > >>> was > >>> compiled with "WITHOUT_ASSERT_DEBUG=yes", still from time to time > >>> message buffer is fed with: > >>> pfr_update_stats: assertion failed. > >>> pfr_update_stats: assertion failed. > >>> pfr_update_stats: assertion failed. > >>> pfr_update_stats: assertion failed. > >>> pfr_update_stats: assertion failed. > >>> pfr_update_stats: assertion failed. > >>> pfr_update_stats: assertion failed. > >> > >> These messages are still filling system message buffer. According to > >> pfctl (8) there is nothing wrong with incrementing "XPass" counters > >> instead of the "Pass" counters. The message "pfr_update_stats: > >> assertion > >> failed" is printed for debugging purposes only. One could also > >> compare > >> the counters with the command "pfctl -sT -vv". > >> > >> OpenBSD converted printf()'s to DPFDEBUG() macro in their sources > >> almost > >> 8 years ago. Only this printf() in pf_table.c has been converted to > >> the > >> level of LOG_DEBUG [1]. > >> > >> Perhaps this line of code could be removed from FreeBSD PF sources? > >> > > > > The previous patch was hastily prepared. It should rather look like > > this: > > > > --- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200 > > +++ sys/netpfil/pf/pf_table.c 2018-06-23 18:17:49.35349 +0200 > > @@ -1984,9 +1984,7 @@ > > panic("%s: unknown address family %u", __func__, af); > > } > > - if ((ke == NULL || ke->pfrke_not) != notrule) { > > - if (op_pass != PFR_OP_PASS) > > - printf("pfr_update_stats: assertion failed.\n"); > > + if ((ke == NULL || ke->pfrke_not) != notrule) > > op_pass = PFR_OP_XPASS; > > - } > > kt->pfrkt_packets[dir_out][op_pass]++; > > kt->pfrkt_bytes[dir_out][op_pass] += len; > > > We could delete those lines and that’d get rid of the dmesg noise, but > I’m a bit worried that this demonstrates an actual problem. > It’s not at all clear to me what’s going on in this bit of the code, > and the OpenBSD repo doesn’t have any information about it either. > This machine acts as a NAT/firewall gateway for about a hundred users. A few hundred of PF rules + 20 tables are used. The error appeared suddenly after upgrade from 8-STABLE to 10-STABLE 3 years ago. It never occurred when the firewall run PF on 8-STABLE. I don't remember whether firewall rules were changed at that time. If it is true then changes concerned only the compatibility with the newer version of PF. If it demonstrates an actual problem, then, please give me a clue how to debug it. On the other hand, ~6 years ago PF was significantly reworked. Is this piece of code still relevant there? -- Marek Zarychta signature.asc Description: PGP signature
Re: pfr_update_stats: assertion failed.
On 23 Jun 2018, at 18:46, Marek Zarychta wrote: On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote: On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote: The issue occurred first two years ago, after upgrade from 8 to 9 branch. Now this i386 machine is running 11.0-STABLE and despite it was compiled with "WITHOUT_ASSERT_DEBUG=yes", still from time to time message buffer is fed with: pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. pfr_update_stats: assertion failed. These messages are still filling system message buffer. According to pfctl (8) there is nothing wrong with incrementing "XPass" counters instead of the "Pass" counters. The message "pfr_update_stats: assertion failed" is printed for debugging purposes only. One could also compare the counters with the command "pfctl -sT -vv". OpenBSD converted printf()'s to DPFDEBUG() macro in their sources almost 8 years ago. Only this printf() in pf_table.c has been converted to the level of LOG_DEBUG [1]. Perhaps this line of code could be removed from FreeBSD PF sources? The previous patch was hastily prepared. It should rather look like this: --- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200 +++ sys/netpfil/pf/pf_table.c 2018-06-23 18:17:49.35349 +0200 @@ -1984,9 +1984,7 @@ panic("%s: unknown address family %u", __func__, af); } - if ((ke == NULL || ke->pfrke_not) != notrule) { - if (op_pass != PFR_OP_PASS) - printf("pfr_update_stats: assertion failed.\n"); + if ((ke == NULL || ke->pfrke_not) != notrule) op_pass = PFR_OP_XPASS; - } kt->pfrkt_packets[dir_out][op_pass]++; kt->pfrkt_bytes[dir_out][op_pass] += len; We could delete those lines and that’d get rid of the dmesg noise, but I’m a bit worried that this demonstrates an actual problem. It’s not at all clear to me what’s going on in this bit of the code, and the OpenBSD repo doesn’t have any information about it either. Regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"