On Sun, Oct 16, 2016 at 08:17:13PM +0200, Marek Zarychta wrote: > The issue occurred first two years ago, after upgrade from 8 to 9 > branch. Now this i386 machine is running 11.0-STABLE and despite it was > compiled with "WITHOUT_ASSERT_DEBUG=yes", still from time to time > message buffer is fed with: > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed. > pfr_update_stats: assertion failed.
These messages are still filling system message buffer. According to
pfctl (8) there is nothing wrong with incrementing "XPass" counters
instead of the "Pass" counters. The message "pfr_update_stats: assertion
failed" is printed for debugging purposes only. One could also compare
the counters with the command "pfctl -sT -vv".
OpenBSD converted printf()'s to DPFDEBUG() macro in their sources almost
8 years ago. Only this printf() in pf_table.c has been converted to the
level of LOG_DEBUG [1].
Perhaps this line of code could be removed from FreeBSD PF sources?
--- sys/netpfil/pf/pf_table.orig.c 2018-06-23 16:40:14.876882000 +0200
+++ sys/netpfil/pf/pf_table.c 2018-06-23 16:40:23.621384000 +0200
@@ -1986,5 +1986,4 @@
if ((ke == NULL || ke->pfrke_not) != notrule) {
if (op_pass != PFR_OP_PASS)
- printf("pfr_update_stats: assertion failed.\n");
op_pass = PFR_OP_XPASS;
}
[1]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c?rev=1.86&content-type=text/x-cvsweb-markup
--
Marek Zarychta
signature.asc
Description: PGP signature
