freebsd stable - Oct 2008 - pf rules not being loaded during boot on 7.1-PRERELEASE

I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE.  I 
rebooted it today but despite pf_enable="YES" being in /etc/rc.conf no
rules got loaded during boot, despite pf itself having been enabled:

router# pfctl -s rules
router# pfctl -e -f /etc/pf.conf
pfctl: pf already enabled
[connection is closed due to new rules being loaded]
router# pfctl -s rules
scrub in all fragment reassemble
[... lots of rules listed]

Has anyone else seen this problem, or have I just missed something 
that's changed between 7.0 and 7.1 in the way pf works?

-- 
Bruce Cran

On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran
wrote:
> I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE.  I  
> rebooted it today but despite pf_enable="YES" being in
/etc/rc.conf no
> rules got loaded during boot, despite pf itself having been enabled:
>
> router# pfctl -s rules
> router# pfctl -e -f /etc/pf.conf
> pfctl: pf already enabled
> [connection is closed due to new rules being loaded]
> router# pfctl -s rules
> scrub in all fragment reassemble
> [... lots of rules listed]
>
> Has anyone else seen this problem, or have I just missed something  
> that's changed between 7.0 and 7.1 in the way pf works?
I was seeing something similar on my own box which I just upgraded from
a 150-day-old RELENG_6 to present RELENG_6.  pfctl -s rules output no
rules.  pfctl -s info showed packet counters, but no interface stats
(due to the rules not being loaded, e.g. no loginterface).

kldstat showed pflog.ko and pf.ko loaded.

If I did /etc/rc.d/pf start, the rules would loaded, and everything
starts working as expected.

I rebooted the box and saw the following on serial console, which I'm
pretty sure is what's responsible for the breakage:

Enabling pf.
Oct  3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received
cannot determine interface bandwidth for bge0, specify an absolute
bandwidth
altq not defined on bge0
altq not defined on bge0
/conf/ME/pf.conf:52: errors in queue definition
altq not defined on bge0
/conf/ME/pf.conf:53: errors in queue definition
altq not defined on bge0
/conf/ME/pf.conf:54: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded
pf enabled

I'd recommend you check your kernel console log on boot-up and see if
anything is showing up there.  I'm about to go digging to find out
what's wrong with my ALTQ rules.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

On 12/23/-58 20:59, Bruce Cran wrote:
> <div class="moz-text-flowed">I recently upgraded my i386
router from 7.0
> to 7.1-PRERELEASE.  I rebooted it today but despite
pf_enable="YES"
> being in /etc/rc.conf no rules got loaded during boot, despite pf itself
> having been enabled:
> 
> router# pfctl -s rules
> router# pfctl -e -f /etc/pf.conf
> pfctl: pf already enabled
> [connection is closed due to new rules being loaded]
> router# pfctl -s rules
> scrub in all fragment reassemble
> [... lots of rules listed]
> 
> Has anyone else seen this problem, or have I just missed something
> that's changed between 7.0 and 7.1 in the way pf works?
> 
Hi Bruce,
> # pfctl -sr | wc -l
>       81
> # grep pf /etc/rc.conf
> pf_enable="YES"
> pf_rules="/etc/Firewall/pf-ces.conf"
> pflog_enable="YES"
this is from a very recent 7-STABLE box:
> # uname -a
> FreeBSD cesar.sz.vwsoft.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #46: Tue
Sep 30 23:33:36 CEST 2008    
root@cesar.sz.vwsoft.com:/usr/obj/usr/src/sys/CESAR  i386
Do you mind to show me your rules? What does ``pfctl -gnf
/path/to/your/rules'' give?

Volker