Date: Sun, 24 Jun 2018 13:56:07 +0200 From: "Kristof Provost" <kristof@sigsegv.be> To: "Marek Zarychta" <zarychtam@plan-b.pwste.edu.pl> Cc: freebsd-pf@freebsd.org Subject: Re: pfr_update_stats: assertion failed. Message-ID: <322F58D6-B7CA-4F78-A860-D43E4F07E402@sigsegv.be> In-Reply-To: <20180623164616.GA82672@plan-b.pwste.edu.pl> References: <20161016181713.GA95110@plan-b.pwste.edu.pl> <20180623152729.GA81271@plan-b.pwste.edu.pl> <20180623164616.GA82672@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 Jun 2018, at 18:46, Marek Zarychta wrote:
> On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote:
>> On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote:
>>> The issue occurred first two years ago, after upgrade from 8 to 9
>>> branch. Now this i386 machine is running 11.0-STABLE and despite it
>>> was
>>> compiled with "WITHOUT_ASSERT_DEBUG=yes", still from time to time
>>> message buffer is fed with:
>>> pfr_update_stats: assertion failed.
>>> pfr_update_stats: assertion failed.
>>> pfr_update_stats: assertion failed.
>>> pfr_update_stats: assertion failed.
>>> pfr_update_stats: assertion failed.
>>> pfr_update_stats: assertion failed.
>>> pfr_update_stats: assertion failed.
>>
>> These messages are still filling system message buffer. According to
>> pfctl (8) there is nothing wrong with incrementing "XPass" counters
>> instead of the "Pass" counters. The message "pfr_update_stats:
>> assertion
>> failed" is printed for debugging purposes only. One could also
>> compare
>> the counters with the command "pfctl -sT -vv".
>>
>> OpenBSD converted printf()'s to DPFDEBUG() macro in their sources
>> almost
>> 8 years ago. Only this printf() in pf_table.c has been converted to
>> the
>> level of LOG_DEBUG [1].
>>
>> Perhaps this line of code could be removed from FreeBSD PF sources?
>>
>
> The previous patch was hastily prepared. It should rather look like
> this:
>
> --- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200
> +++ sys/netpfil/pf/pf_table.c 2018-06-23 18:17:49.353490000 +0200
> @@ -1984,9 +1984,7 @@
> panic("%s: unknown address family %u", __func__, af);
> }
> - if ((ke == NULL || ke->pfrke_not) != notrule) {
> - if (op_pass != PFR_OP_PASS)
> - printf("pfr_update_stats: assertion failed.\n");
> + if ((ke == NULL || ke->pfrke_not) != notrule)
> op_pass = PFR_OP_XPASS;
> - }
> kt->pfrkt_packets[dir_out][op_pass]++;
> kt->pfrkt_bytes[dir_out][op_pass] += len;
>
We could delete those lines and that’d get rid of the dmesg noise, but
I’m a bit worried that this demonstrates an actual problem.
It’s not at all clear to me what’s going on in this bit of the code,
and the OpenBSD repo doesn’t have any information about it either.
Regards,
Kristof
From owner-freebsd-pf@freebsd.org Sun Jun 24 19:07:31 2018
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6EBE71009E17
for <freebsd-pf@mailman.ysv.freebsd.org>; Sun, 24 Jun 2018 19:07:31 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl
[IPv6:2001:678:618::40])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "plan-b.pwste.edu.pl",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id E378D732A6
for <freebsd-pf@freebsd.org>; Sun, 24 Jun 2018 19:07:30 +0000 (UTC)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1])
by plan-b.pwste.edu.pl (8.15.2/8.15.2) with ESMTPS id w5OJ7Q57006875
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
Sun, 24 Jun 2018 21:07:26 +0200 (CEST)
(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
s=plan-b-mailer; t=1529867247;
bh=p7sDBBUDJY/Hw7vIoSOmRwvkilO7JveNAYUKabSvJEs=;
h=Date:From:To:Cc:Subject:References:In-Reply-To;
b=AOTc87pfCtdc0f57SFxJ+VgUYIUB+TYHy/943GRo9UYgVuWb9Ksy0L9/brbLbTer2
T9kyDSx9+ivau+wbdg0JJj6FtvRvCbw8NiuILysaliGU9is8IGvk/Kujb0d9eT4MWG
EmJ6q0pwzzyKybkSIn/JNlvrzoslRE4Di63PoXT8Di8/Esq+QAZKHXSfhDD8badtg5
zJ0AZV98JhKlAt7QkIeA1uQDMegZ+fqMfihwebf3RWFKk1vNalewBn5NRVSYtf3NPQ
nAjr++jPkMjCwcgwUaWP4eo9GXwwT2jJ+Ocp4gpLizlJJLPKSobpn9GrmvDdgdjGzB
0lN1+77NE3M2A==
Received: (from zarychtam@localhost)
by plan-b.pwste.edu.pl (8.15.2/8.15.2/Submit) id w5OJ7Q7O006874;
Sun, 24 Jun 2018 21:07:26 +0200 (CEST) (envelope-from zarychtam)
Date: Sun, 24 Jun 2018 21:07:26 +0200
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
To: Kristof Provost <kristof@sigsegv.be>
Cc: freebsd-pf@freebsd.org
Subject: Re: pfr_update_stats: assertion failed.
Message-ID: <20180624190726.GA6807@plan-b.pwste.edu.pl>
References: <20161016181713.GA95110@plan-b.pwste.edu.pl>
<20180623152729.GA81271@plan-b.pwste.edu.pl>
<20180623164616.GA82672@plan-b.pwste.edu.pl>
<322F58D6-B7CA-4F78-A860-D43E4F07E402@sigsegv.be>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z"
Content-Disposition: inline
In-Reply-To: <322F58D6-B7CA-4F78-A860-D43E4F07E402@sigsegv.be>
User-Agent: Mutt/1.10.0 (2018-05-17)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>;
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jun 2018 19:07:31 -0000
--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Jun 24, 2018 at 01:56:07PM +0200, Kristof Provost wrote:
> On 23 Jun 2018, at 18:46, Marek Zarychta wrote:
> > On Sat, Jun 23, 2018 at 05:27:29PM +0200, Marek Zarychta wrote:
> >> On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote:
> >>> The issue occurred first two years ago, after upgrade from 8 to 9
> >>> branch. Now this i386 machine is running 11.0-STABLE and despite it=
=20
> >>> was
> >>> compiled with "WITHOUT_ASSERT_DEBUG=3Dyes", still from time to time
> >>> message buffer is fed with:
> >>> pfr_update_stats: assertion failed.
> >>> pfr_update_stats: assertion failed.
> >>> pfr_update_stats: assertion failed.
> >>> pfr_update_stats: assertion failed.
> >>> pfr_update_stats: assertion failed.
> >>> pfr_update_stats: assertion failed.
> >>> pfr_update_stats: assertion failed.
> >>
> >> These messages are still filling system message buffer. According to
> >> pfctl (8) there is nothing wrong with incrementing "XPass" counters
> >> instead of the "Pass" counters. The message "pfr_update_stats:=20
> >> assertion
> >> failed" is printed for debugging purposes only. One could also=20
> >> compare
> >> the counters with the command "pfctl -sT -vv".
> >>
> >> OpenBSD converted printf()'s to DPFDEBUG() macro in their sources=20
> >> almost
> >> 8 years ago. Only this printf() in pf_table.c has been converted to=20
> >> the
> >> level of LOG_DEBUG [1].
> >>
> >> Perhaps this line of code could be removed from FreeBSD PF sources?
> >>
> >
> > The previous patch was hastily prepared. It should rather look like=20
> > this:
> >
> > --- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200
> > +++ sys/netpfil/pf/pf_table.c 2018-06-23 18:17:49.353490000 +0200
> > @@ -1984,9 +1984,7 @@
> > panic("%s: unknown address family %u", __func__, af);
> > }
> > - if ((ke =3D=3D NULL || ke->pfrke_not) !=3D notrule) {
> > - if (op_pass !=3D PFR_OP_PASS)
> > - printf("pfr_update_stats: assertion failed.\n");
> > + if ((ke =3D=3D NULL || ke->pfrke_not) !=3D notrule)
> > op_pass =3D PFR_OP_XPASS;
> > - }
> > kt->pfrkt_packets[dir_out][op_pass]++;
> > kt->pfrkt_bytes[dir_out][op_pass] +=3D len;
> >
> We could delete those lines and that=E2=80=99d get rid of the dmesg noise=
, but=20
> I=E2=80=99m a bit worried that this demonstrates an actual problem.
> It=E2=80=99s not at all clear to me what=E2=80=99s going on in this bit o=
f the code,=20
> and the OpenBSD repo doesn=E2=80=99t have any information about it either.
>=20
This machine acts as a NAT/firewall gateway for about a hundred users.
A few hundred of PF rules + 20 tables are used. The error appeared
suddenly after upgrade from 8-STABLE to 10-STABLE 3 years ago. It never
occurred when the firewall run PF on 8-STABLE. I don't remember whether
firewall rules were changed at that time. If it is true then changes
concerned only the compatibility with the newer version of PF.
If it demonstrates an actual problem, then, please give me a clue how to
debug it. On the other hand, ~6 years ago PF was significantly reworked.
Is this piece of code still relevant there?
--=20
Marek Zarychta
--7AUc2qLy4jB3hD7Z
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlsv6+sACgkQdZ/s//1S
jSxYcAf7BKSdrEyjJKZqwlBbF/8oGclpxkocwmkOI4pl68fRvn7fSa5+vYn2V8cL
e6Wuxq7OBroQAnxaP90WM/cJFrWvcHttnrMBVtbn3nIECht95qvC4WQeJd4oevyY
4CMMIdXqNTk/y6WZRvV0TQhvOw7iAQuc34Um6FvTgGlbYsDmhwAWBwL3p/oveHFS
PGYfBImBhLo8rmoo3C3ppZUP7WgVVv+yUc7EByK60ID/IeAxh8MQ8AAgcGC9mNyz
yt/K4g4ICd0pkx5bo3SX1yxigBUT3x1FbrHkNzxCAfyNFG8biDjB5xHkAUaMc8dF
6qLt9dZsXxoRniCBeNaWb9vZ0UjkvQ==
=9HXl
-----END PGP SIGNATURE-----
--7AUc2qLy4jB3hD7Z--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?322F58D6-B7CA-4F78-A860-D43E4F07E402>