PF pfctl: Failed to open netlink: Bad file descriptor

[Beni Grind]

Hey all

I somehow fail to write basic firewall rules for my system. When I run pfctl -nf /etc/pf.conf it fails with an error:

# pfctl -nf /etc/pf.conf
pfctl: Failed to open netlink: Bad file descriptor

If I try to ask for more debug output, I get the same result.

# pfctl -x loud -gvnf /etc/pf.conf
pfctl: Failed to open netlink: Bad file descriptor

My pf.conf contains the following

# Macros
mgt_if = "igb0"
zg_range6 = "2a10:8240::/29"
ksz_range6 = "2001:4b20::/29"
ssh_sources = "{ zg_range6, ksz_range6 }"


# Settings
set skip on lo0
set block-policy drop

# Tables
table <icmpratelimit> persist

# Basic security rules
antispoof quick for { $mgt_if }
scrub in all
block quick log from { <icmpratelimit> }

# Default policy
block in on $mgt_if
pass out on $mgt_if

# ICPM with rate limit
pass inet6 proto icmp6 all icmp6-type $icmp_types \
  keep state (max-src-conn-rate 6/4, overload <icmpratelimit> flush global)

# Basic services
pass in on $mgt_if proto tcp port 22 from $ssh_sources

I'm not sure whether the config is correct since pfctl doesn't check it.

I somehow suspect the reason for this is that the system does not have an IPv4 address configured. However as far as I can tell I didn't specify any IPv4-specific rule in the ruleset.

# ifconfig igb0
igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 18:c0:4d:b6:a9:bc
        inet6 2001:db8:0:1::2 prefixlen 64
        inet6 fe80::1ac0:afff:afff:afff%igb0 prefixlen 64 scopeid 0x1
        inet6 2001:db8:0:1::1:a prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

(Obviously I did redact the IP addresses, the second public IP is used in a jail)

This is on a FreeBSD 15.0 using pkgbase.

Thanks, Beni

EDIT: Fix re comment of ShelLuser

 

[ShelLuser]

One comment... you say 'a' (that you're only using -nf, only to show us something else For those of us who don't know those parameters from mind it could be another possible cause.

Also: which version of FreeBSD are you using? Because if you build the system yourself then I could imagine that the cause of your issues could be found there. Thing is: netlink is - as far as I recall - mostly used on Linux environments, which makes me wonder about your setup.

 

[Beni Grind]

One comment... you say 'a' (that you're only using -nf, only to show us something else For those of us who don't know those parameters from mind it could be another possible cause.

Also: which version of FreeBSD are you using? Because if you build the system yourself then I could imagine that the cause of your issues could be found there. Thing is: netlink is - as far as I recall - mostly used on Linux environments, which makes me wonder about your setup.

Thanks for the hints. For clarity I edited the original post accordingly.