Solved pfctl: Failed to open netlink: Bad file descriptor

[Beni Grind]

Hey all

I somehow fail to write basic firewall rules for my system. When I run pfctl -nf /etc/pf.conf it fails with an error:

# pfctl -nf /etc/pf.conf
pfctl: Failed to open netlink: Bad file descriptor

If I try to ask for more debug output, I get the same result.

# pfctl -x loud -gvnf /etc/pf.conf
pfctl: Failed to open netlink: Bad file descriptor

My pf.conf contains the following

# Macros
mgt_if = "igb0"
zg_range6 = "2a10:8240::/29"
ksz_range6 = "2001:4b20::/29"
ssh_sources = "{ zg_range6, ksz_range6 }"


# Settings
set skip on lo0
set block-policy drop

# Tables
table <icmpratelimit> persist

# Basic security rules
antispoof quick for { $mgt_if }
scrub in all
block quick log from { <icmpratelimit> }

# Default policy
block in on $mgt_if
pass out on $mgt_if

# ICPM with rate limit
pass inet6 proto icmp6 all icmp6-type $icmp_types \
  keep state (max-src-conn-rate 6/4, overload <icmpratelimit> flush global)

# Basic services
pass in on $mgt_if proto tcp port 22 from $ssh_sources

I'm not sure whether the config is correct since pfctl doesn't check it.

I somehow suspect the reason for this is that the system does not have an IPv4 address configured. However as far as I can tell I didn't specify any IPv4-specific rule in the ruleset.

# ifconfig igb0
igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 18:c0:4d:b6:a9:bc
        inet6 2001:db8:0:1::2 prefixlen 64
        inet6 fe80::1ac0:afff:afff:afff%igb0 prefixlen 64 scopeid 0x1
        inet6 2001:db8:0:1::1:a prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

(Obviously I did redact the IP addresses, the second public IP is used in a jail)

This is on a FreeBSD 15.0 using pkgbase.

Thanks, Beni

EDIT: Fix re comment of ShelLuser

 

[ShelLuser]

One comment... you say 'a' (that you're only using -nf, only to show us something else For those of us who don't know those parameters from mind it could be another possible cause.

Also: which version of FreeBSD are you using? Because if you build the system yourself then I could imagine that the cause of your issues could be found there. Thing is: netlink is - as far as I recall - mostly used on Linux environments, which makes me wonder about your setup.

 

[Beni Grind]

One comment... you say 'a' (that you're only using -nf, only to show us something else For those of us who don't know those parameters from mind it could be another possible cause.

Also: which version of FreeBSD are you using? Because if you build the system yourself then I could imagine that the cause of your issues could be found there. Thing is: netlink is - as far as I recall - mostly used on Linux environments, which makes me wonder about your setup.

Thanks for the hints. For clarity I edited the original post accordingly.

 

[Beni Grind]

Ok, this is a very stupid error. I didn't realise that pf isn't even running. Adding it to
/etc/rc.conf and doing a

service pf start

did the trick. Sorry for even posting this.

 

[codeedog]

Ok, this is a very stupid error. I didn't realise that pf isn't even running. Adding it to
/etc/rc.conf and doing a

service pf start

did the trick. Sorry for even posting this.

It's an unhelpful error. I was getting the exact same error yesterday in a jail where I wanted to run pf. I've done that plenty of times, but forgot to use the correct devfs rule (4 when it should have been 5). Same error. Felt ridiculous after I figured it out 30 minutes later.

 

[SirDice]

pfctl: Failed to open netlink: Bad file descriptor

pf(4) kernel module isn't loaded.

I didn't realise that pf isn't even running.

There's no "process" or "service" called PF, /etc/rc.d/pf simply enables PF (which causes the module to load) and loads the ruleset from /etc/pf.conf (by default).

but forgot to use the correct devfs rule

That prevented access to the PF "device" (pf(4)), which is effectively the same as not having the kernel module loaded.