authpf error: failed to create table (Device busy)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

authpf error: failed to create table (Device busy)

md.obsd.bugs
Hi

I recently transmitted a bug report concerning an authpf issue in 6.1
(see also [1]) where loading the rules in the authpf anchor fails like
this:
============================================================================
"pfctl: failed to create table __automatic_ba6b4284_0 in /newuser(25710): \
Device busy"   Unable to modify filters
============================================================================

I've not been able to reproduce the error using another set of source IPs.
Maybe I'm overlooking an syntax/config error, but using the same rule in the
base pf.conf file does not result in an evaluation error using pfctl -nf.

Is any one able to reproduce the error either using the info in [1]
or by it's own ruleset?

I'd love to deliver additional debug info.

Looking forward for feedback.
\md

[1] https://marc.info/?l=openbsd-bugs&m=149613063520544

Reply | Threaded
Open this post in threaded view
|

Re: authpf error: failed to create table (Device busy)

md.obsd.bugs
Hi again

i was able to further track down the issue.

If i set ruleset-optimization to none everything works fine.
So it seems that the behavior is triggered somehow by the
optimizer.

Having a look at where the EBUSY is triggered, it looks like
pf_find_ruleset in pfr_ina_define (sys/net/pf_table.c) does
not return anything. I did not get any further yet, but possibly
others can?

Can anyone else confirm this behavior?

regards
\md
 
 
-------- Forwarded Message --------
Date: Donnerstag, 22. Juni 2017 um 10:27 Uhr
From: [hidden email]
To: [hidden email]
Subject: authpf error: failed to create table (Device busy)
Hi

I recently transmitted a bug report concerning an authpf issue in 6.1
(see also [1]) where loading the rules in the authpf anchor fails like
this:
============================================================================
"pfctl: failed to create table __automatic_ba6b4284_0 in /newuser(25710): \
Device busy" Unable to modify filters
============================================================================

I've not been able to reproduce the error using another set of source IPs.
Maybe I'm overlooking an syntax/config error, but using the same rule in the
base pf.conf file does not result in an evaluation error using pfctl -nf.

Is any one able to reproduce the error either using the info in [1]
or by it's own ruleset?

I'd love to deliver additional debug info.

Looking forward for feedback.
\md

[1] https://marc.info/?l=openbsd-bugs&m=149613063520544

Reply | Threaded
Open this post in threaded view
|

Re: authpf error: failed to create table (Device busy)

rafal.ramocki
It looks like I've just hit the same bug.  It looks like it is not related with authpf but rather with anchors generaly. I'm loading anchor from pf.conf, then this anchor loads another one with some rules. I have two similar rules in there and disabling one of them will stop returning an error from this anchor.

pass in quick log proto tcp to { 10.58.16.10 10.58.16.20 10.58.16.30 } port 1522
pass in quick log proto tcp to { 10.58.16.11 10.58.16.21 10.58.16.31 } port 1522

I have quite a bit ancors so I'm failing to load rules few anchors ahead anyway.

Revelant parts of config are as follows:

/etc/pf.conf:
anchor "vpn1" in on $if_vpn1
load anchor vpn1 from "/etc/anchors/vpn1.conf"

/etc/anchors/vpn1.conf:
anchor "user4"  in from 172.31.224.217
load anchor user4  from "/etc/anchors/vpn1/user4"

/etc/anchors/vpn1/user4:
pass in quick log proto tcp to { 10.58.16.10 10.58.16.20 10.58.16.30 } port 1522
pass in quick log proto tcp to { 10.58.16.11 10.58.16.21 10.58.16.31 } port 1522
Reply | Threaded
Open this post in threaded view
|

Re: authpf error: failed to create table (Device busy)

md.obsd.bugs
Did you test whether disabling ruleset optimization "fixes"
the issue in your case too?

\md
 
 

Gesendet: Freitag, 07. Juli 2017 um 02:59 Uhr
Von: "rafal.ramocki" <[hidden email]>
An: [hidden email]
Betreff: Re: authpf error: failed to create table (Device busy)
It looks like I've just hit the same bug. It looks like it is not related
with authpf but rather with anchors generaly. I'm loading anchor from
pf.conf, then this anchor loads another one with some rules. I have two
similar rules in there and disabling one of them will stop returning an
error from this anchor.

pass in quick log proto tcp to { 10.58.16.10 10.58.16.20 10.58.16.30 } port
1522
pass in quick log proto tcp to { 10.58.16.11 10.58.16.21 10.58.16.31 } port
1522

I have quite a bit ancors so I'm failing to load rules few anchors ahead
anyway.

Revelant parts of config are as follows:

/etc/pf.conf:
anchor "vpn1" in on $if_vpn1
load anchor vpn1 from "/etc/anchors/vpn1.conf"

/etc/anchors/vpn1.conf:
anchor "user4" in from 172.31.224.217
load anchor user4 from "/etc/anchors/vpn1/user4"

/etc/anchors/vpn1/user4:
pass in quick log proto tcp to { 10.58.16.10 10.58.16.20 10.58.16.30 } port
1522
pass in quick log proto tcp to { 10.58.16.11 10.58.16.21 10.58.16.31 } port
1522




--
View this message in context: http://openbsd-archive.7691.n7.nabble.com/authpf-error-failed-to-create-table-Device-busy-tp321195p322214.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.
 

Reply | Threaded
Open this post in threaded view
|

Re: authpf error: failed to create table (Device busy)

Gabriel Nieto
In reply to this post by md.obsd.bugs
Hello ,
I think  this patch can fix the problem.

diff -u -p pfctl.c.orig  pfctl.c
--- pfctl.c.orig        Thu Aug 10 09:44:35 2017
+++ pfctl.c     Thu Aug 10 09:50:57 2017
@@ -1,4 +1,5 @@
-/*     $OpenBSD: pfctl.c,v 1.339 2017/03/27 17:38:09 benno Exp $ */
+/*     pfctl.c,v 1.339FIX 2017/08/10 19:01:01 Gabriel Nieto gabnietof@gmail.com */
+/*      $OpenBSD: pfctl.c,v 1.339 2017/03/27 17:38:09 benno Exp $ */
 
/*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1489,12 +1490,11 @@ pfctl_rules(int dev, char *filename, int opts, int opt
            sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
                errx(1, "pfctl_add_rule: strlcpy");
 
-       if ((p = strrchr(anchorname, '/')) != NULL) {
+       if ((p = strrchr(anchorname, '/')) != NULL)
                if (strlen(p) == 1)
                        errx(1, "pfctl_add_rule: bad anchor name %s",
                            anchorname);
-       } else
-               p = anchorname;
+       p = anchorname;
 
        if (strlcpy(pf.anchor->name, p,
            sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
 
Gabriel.
Reply | Threaded
Open this post in threaded view
|

Re: authpf error: failed to create table (Device busy)

adrian.brzezinski
CONTENTS DELETED
The author has deleted this message.