pf rules not being loaded during boot on 7.1-PRERELEASE

Jeremy Chadwick koitsu at FreeBSD.org
Fri Oct 3 11:17:05 UTC 2008 

On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran wrote:
> I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE.  I  
> rebooted it today but despite pf_enable="YES" being in /etc/rc.conf no  
> rules got loaded during boot, despite pf itself having been enabled:
>
> router# pfctl -s rules
> router# pfctl -e -f /etc/pf.conf
> pfctl: pf already enabled
> [connection is closed due to new rules being loaded]
> router# pfctl -s rules
> scrub in all fragment reassemble
> [... lots of rules listed]
>
> Has anyone else seen this problem, or have I just missed something  
> that's changed between 7.0 and 7.1 in the way pf works?

I was seeing something similar on my own box which I just upgraded from
a 150-day-old RELENG_6 to present RELENG_6.  pfctl -s rules output no
rules.  pfctl -s info showed packet counters, but no interface stats
(due to the rules not being loaded, e.g. no loginterface).

kldstat showed pflog.ko and pf.ko loaded.

If I did /etc/rc.d/pf start, the rules would loaded, and everything
starts working as expected.

I rebooted the box and saw the following on serial console, which I'm
pretty sure is what's responsible for the breakage:

Enabling pf.
Oct  3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received
cannot determine interface bandwidth for bge0, specify an absolute
bandwidth
altq not defined on bge0
altq not defined on bge0
/conf/ME/pf.conf:52: errors in queue definition
altq not defined on bge0
/conf/ME/pf.conf:53: errors in queue definition
altq not defined on bge0
/conf/ME/pf.conf:54: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded
pf enabled

I'd recommend you check your kernel console log on boot-up and see if
anything is showing up there.  I'm about to go digging to find out
what's wrong with my ALTQ rules.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list