A short update on this one.
We have two identical boxes running pf in bridge mode. The boxes are
in parallel and we use the cisco switch/routers to handle the
failover. Both the boxes receive the rulesets but only the 'active'
one generates the error.
I guess when all else fails we will try rebooting the box but I'd
rather not:
$ uptime
4:51PM up 215 days, 4:27, 1 user, load averages: 0.10, 0.08, 0.08
R
On 30/01/2008, at 5:28 PM, Russell Fulton wrote:
This afternoon pfctl started spitting out this message every time we
reload the rule set. So far as I can tell nothing substantial
changed at this point. Perhaps a new table was created or an IP
added to an existing table. (the ruleset is built from a database
and there have been quite a few changes this afternoon and by the
time I noticed the error all the old versions had been overwritten
-- I keep 20 old versions :( )
The rule set loads OK and appears to work fine.
From some limited googling it appears that the issue is related to
anchors but I can't figure out how.
Our rule set has this structure
<lots of table defs>
anchor *ftpsesame
<some hand crafted rules>
anchor table_rules
<all the rules that use the tables>
anchor other_rules
<other rules that don't involve tables>
The last two anchors are completely redundant and I could remove them.
I did a grep on the rule set and came up with 156 tables (not 170).
Can someone shed some light on what is going on?
Russell.
