Re: "Operation not permitted" on 9.0-BETA1 firewall (PF) about 1
It appears that PF isn't removing any entries from the state table. Note that the state table size is at its default of 10000 (which correlates to the amount of memory installed on the firewall - 256 MB).
State Table Total Rate
current entries 10013
searches 554801 13.4/s
inserts 10013 0.2/s
removals 0 0.0/s
When I booted the debug kernel last night, it panicked in pfsync_send_plus as soon as init enabled PF (backtrace included below).
Starting pflog.
pflog0: promiscuous mode enabled
Aug 25 20:54:21 pflogd[1611]: [priv]: msg PRIV_OPEN_LOG received
Enabling pfpanic: mutex pf task mtx owned at /usr/src/sys/contrib/pf/net/if_pfsync.c:3163
cpuid = 0
KDB: enter: panic
[ thread pid 1619 tid 100053 ]
Stopped at kdb_enter+0x3a: movl $0,kdb_why
db> bt
Tracing pid 1619 tid 100053 td 0xc23da2e0
kdb_enter(c09777c9,c09777c9,c0975d7b,c6fd79e0,0,...) at kdb_enter+0x3a
panic(c0975d7b,c0946080,c0944e87,c5b,c6fd7a0c,...) at panic+0x134
_mtx_assert(c0a1b388,0,c0944e87,c5b,c6fd7a24,...) at _mtx_assert+0x127
pfsync_send_plus(c6fd7a24,18,10,ad6,1000000,...) at pfsync_send_plus+0xf2
pfsync_clear_states(a218d664,c236fb78,c0945f1c,635,c09ae167,...) at pfsync_clear_states+0x8d
pfioctl(c22a0800,c0cc4412,c236fb00,3,c23da2e0,...) at pfioctl+0x1b90
devfs_ioctl_f(c23ce578,c0cc4412,c236fb00,c216ce80,c23da2e0,...) at devfs_ioctl_f+0x10b
kern_ioctl(c23da2e0,3,c0cc4412,c236fb00,1fd7cec,...) at kern_ioctl+0x21d
ioctl(c23da2e0,c6fd7cec,c6fd7d28,c097d93a,0,...) at ioctl+0x134
syscallenter(c23da2e0,c6fd7ce4,c6fd7ce4,0,0,...) at syscallenter+0x263
syscall(c6fd7d28) at syscall+0x34
Xint0x80_syscall() at Xint0x80_syscall+0x21
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x281e6263, esp = 0xbfbfe8ac, ebp = 0xbfbfe998 ---
db>
I just re-ran csup (sorry, not sure how to find the specific revision ID) and noticed that pf.c was updated, so I'm going to make world and see if that fixes anything.
Best wishes,
Matthew
討論串 (同標題文章)
完整討論串 (本文為第 1 之 2 篇):