pfr_update_stats: assertion failed.

Kristof Provost kristof at sigsegv.be
Sun Jun 24 11:56:11 UTC 2018 

On 23 Jun 2018, at 18:46, Marek Zarychta wrote:
> On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote:
>> On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote:
>>> The issue occurred first two years ago, after upgrade from 8 to 9
>>> branch. Now this i386 machine is running 11.0-STABLE and despite it 
>>> was
>>> compiled with "WITHOUT_ASSERT_DEBUG=yes", still from time to time
>>> message buffer is fed with:
>>>   pfr_update_stats: assertion failed.
>>>   pfr_update_stats: assertion failed.
>>>   pfr_update_stats: assertion failed.
>>>   pfr_update_stats: assertion failed.
>>>   pfr_update_stats: assertion failed.
>>>   pfr_update_stats: assertion failed.
>>>   pfr_update_stats: assertion failed.
>>
>> These messages are still filling system message buffer. According to
>> pfctl (8) there is nothing wrong with incrementing "XPass" counters
>> instead of the "Pass" counters. The message "pfr_update_stats: 
>> assertion
>> failed" is printed for debugging purposes only. One could also 
>> compare
>> the counters with the command "pfctl -sT -vv".
>>
>> OpenBSD converted printf()'s to DPFDEBUG() macro in their sources 
>> almost
>> 8 years ago. Only this printf() in pf_table.c has been converted to 
>> the
>> level of LOG_DEBUG [1].
>>
>> Perhaps this line of code could be removed from FreeBSD PF sources?
>>
>
> The previous patch was hastily prepared. It should rather look like 
> this:
>
> --- sys/netpfil/pf/pf_table.orig.c	2018-06-23 16:40:14.876882000 +0200
> +++ sys/netpfil/pf/pf_table.c	2018-06-23 18:17:49.353490000 +0200
> @@ -1984,9 +1984,7 @@
>  		panic("%s: unknown address family %u", __func__, af);
>  	}
> -	if ((ke == NULL || ke->pfrke_not) != notrule) {
> -		if (op_pass != PFR_OP_PASS)
> -			printf("pfr_update_stats: assertion failed.\n");
> +	if ((ke == NULL || ke->pfrke_not) != notrule)
>  		op_pass = PFR_OP_XPASS;
> -	}
>  	kt->pfrkt_packets[dir_out][op_pass]++;
>  	kt->pfrkt_bytes[dir_out][op_pass] += len;
>
We could delete those lines and that’d get rid of the dmesg noise, but 
I’m a bit worried that this demonstrates an actual problem.
It’s not at all clear to me what’s going on in this bit of the code, 
and the OpenBSD repo doesn’t have any information about it either.

Regards,
Kristof

More information about the freebsd-pf mailing list