pf rules not being loaded during boot on 7.1-PRERELEASE

Gary Palmer gpalmer at
Fri Oct 3 18:04:53 UTC 2008

On Fri, Oct 03, 2008 at 04:17:03AM -0700, Jeremy Chadwick wrote:
> On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran wrote:
> > I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE.  I  
> > rebooted it today but despite pf_enable="YES" being in /etc/rc.conf no  
> > rules got loaded during boot, despite pf itself having been enabled:
> >
> > router# pfctl -s rules
> > router# pfctl -e -f /etc/pf.conf
> > pfctl: pf already enabled
> > [connection is closed due to new rules being loaded]
> > router# pfctl -s rules
> > scrub in all fragment reassemble
> > [... lots of rules listed]
> >
> > Has anyone else seen this problem, or have I just missed something  
> > that's changed between 7.0 and 7.1 in the way pf works?
> I was seeing something similar on my own box which I just upgraded from
> a 150-day-old RELENG_6 to present RELENG_6.  pfctl -s rules output no
> rules.  pfctl -s info showed packet counters, but no interface stats
> (due to the rules not being loaded, e.g. no loginterface).
> kldstat showed pflog.ko and pf.ko loaded.
> If I did /etc/rc.d/pf start, the rules would loaded, and everything
> starts working as expected.
> I rebooted the box and saw the following on serial console, which I'm
> pretty sure is what's responsible for the breakage:
> Enabling pf.
> Oct  3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received
> cannot determine interface bandwidth for bge0, specify an absolute
> bandwidth
> altq not defined on bge0
> altq not defined on bge0
> /conf/ME/pf.conf:52: errors in queue definition
> altq not defined on bge0
> /conf/ME/pf.conf:53: errors in queue definition
> altq not defined on bge0
> /conf/ME/pf.conf:54: errors in queue definition
> pfctl: Syntax error in config file: pf rules not loaded
> pf enabled
> I'd recommend you check your kernel console log on boot-up and see if
> anything is showing up there.  I'm about to go digging to find out
> what's wrong with my ALTQ rules.

I noticed the last time I rebooted my gateway to patch the latest
v6 hole that vr0 (in my case) had not negotiated link by the time
pf started (even tho its a static IP address, not DHCP).  This meant
that there was no link speed for altq to base its queueing on, and
the entire pf load failed (I think).  

I changed my vr0 altq line to hardcode the speed at 100mbit and I think
that should fix it

Why this is an issue now and it wasn't previously I'm not sure.  The
current failure mode is certainly not helpful.  I'm not sure if we
should force pf to wait for link on altq interfaces or not.



More information about the freebsd-stable mailing list