Re: PF works on 6.0_RC2 despite error messages

To: Pongthep Kulkrisada <ptkrisada%gmail.com@localhost>
Subject: Re: PF works on 6.0_RC2 despite error messages
From: Darrel <levitch%iglou.com@localhost>
Date: Sun, 23 Sep 2012 07:52:10 -0400 (EDT)


On Sun, 23 Sep 2012, Pongthep Kulkrisada wrote:

Hi All,

After cvs and built from 5.1_STABLE to 6.2_RC2,
I remained PF configuration unchanged.
And I checked that PF works very well.
But recently I've just noticed PF warning messages during boot.

-----------------------------------------------------------
Setting tty flags.
pfctl: DIOCSETSTATUSIF
...
Enabling pf firewall.
pfctl: DIOCSETSTATUSIF
/etc/rc.d/pf exited with code 1
...
Starting pflogd.
...
The following components reported failures:
        /etc/rc.d/pf
See /var/run/rc.log for more information.
-----------------------------------------------------------

Related /var/run/log
-----------------------------------------------------------
...
[running /etc/rc.d/pf_boot]
pfctl: DIOCSETSTATUSIF
...
[running /etc/rc.d/npf]
[running /etc/rc.d/pf]
Enabling pf firewall.
pfctl: DIOCSETSTATUSIF
/etc/rc.d/pf exited with code 1
...
[running /etc/rc.d/pflogd]
Starting pflogd.
-----------------------------------------------------------
(Note that I do not use npf, although it runs.)

Even if I have such warnings.
But PF still works fine. I can check if it is running.

root@netbsd:~# ps ax | grep pf
221 ?     Is   0:00.03 pflogd: [priv]
291 ?     S    0:00.98 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog (pf
667 ttyE0 R+   0:00.00 grep pf

/dev/pf is there.
I can still disable, enable, reload filtering rules.
I can also do ``/etc/rc.d/pf restart'' or whatever without any problems.
With exactly the same configuration, there is only a warning on 5.1_STABLE i.e.
pfctl: DIOCSETSTATUSIF that happens twice when booting 5.1_STABLE.
(I think, one from pf_boot and another from pf.)

Why are such warnings displayed, without any actual effects?
Any comments are highly appreciated.

Partial /etc/rc.conf
-----------------------------------------------------------
lkm=YES
pf=YES
pf_rules="/etc/pf.conf"
pflogd=YES
-----------------------------------------------------------

Partial /etc/lkm.conf
-----------------------------------------------------------
/usr/lkm/pf.o   -               -               -               -               
BEFORENET
-----------------------------------------------------------

root@netbsd:~# uname -a
NetBSD netbsd.localdomain 6.0_RC2 NetBSD 6.0_RC2 (GENERIC) #0: Wed Sep 19 
19:46:32 ICT 2012  
root@netbsd.localdomain:/usr/obj/sys/arch/i386/compile/GENERIC i386


Hello Pongthep,

Hopefully someone will be capable of answering your actual question.

You might want to try out NPF in NetBSD. It still has a few bugs buttests well wity 'nmap' and the like.


 from RC2:

# cat /etc/pf.conf | grep 2007
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $

Sort of old?

and this from FreeBSD:

http://www.freebsd.org/cgi/query-pr.cgi?pr=167057

I only use Packet Filter on OpenBSD from now on.

Kind Regards,
Darrel

Follow-Ups:
- Re: PF works on 6.0_RC2 despite error messages
  - From: Pongthep Kulkrisada

References:
- PF works on 6.0_RC2 despite error messages
  - From: Pongthep Kulkrisada

Prev by Date: PF works on 6.0_RC2 despite error messages
Next by Date: Re: PF works on 6.0_RC2 despite error messages
Previous by Thread: PF works on 6.0_RC2 despite error messages
Next by Thread: Re: PF works on 6.0_RC2 despite error messages
Indexes:

Home | Main Index | Thread Index | Old Index