Re: pfctl: DIOCADDRULE: Operation not supported by device
* roberth rob...@openbsd.pap.st [2011-05-09 00:29]: On the otherhand, i have been running -current for years and never have had any problem with building source with the previouse kernel (without reboot) that i can remember. Maybe my 3 digit amount of builds isn't enough or i built at the wrong states of the tree. indeed. it is not exactly the first time pf ioctls changed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pfctl: DIOCADDRULE: Operation not supported by device
On 2011-05-08, Chris Smith obsd_m...@chrissmith.org wrote: After an update to -current yesterday Internet access was lost as pf.conf could not be loaded. The error message was: pfctl: DIOCADDRULE: Operation not supported by device Address translation would break but you should still be able to get into the machine. This error occurred after upgrading the kernel and then rebooting. After userland was brought up to date as well and the system rebooted everything was fine. The system in question was local so outside of being offline for the amount of time it took to build userland there wasn't a lot to worry about. What I'm concerned with is this being an issue on a remote system where not being able to get back in after rebooting with just an updated kernel would (if it happened) be a serious issue. I would *very strongly* recommend out of band management of some sort for any important remote machine. Whether it's serial console, KVM/IP, or a remote management card (one with dedicated nic; there are good reasons why openbsd doesn't support the shared nic cards). If you skip this, it's more important than usual to the same upgrade path on the same type of machine locally first. There's usually no problem, but sometimes you get unlucky with various code changes.
Re: pfctl: DIOCADDRULE: Operation not supported by device
On 05/08/2011 03:05 PM, Otto Moerbeek wrote: On Sun, May 08, 2011 at 02:54:21PM -0400, Chris Smith wrote: After an update to -current yesterday Internet access was lost as pf.conf could not be loaded. The error message was: pfctl: DIOCADDRULE: Operation not supported by device This error occurred after upgrading the kernel and then rebooting. After userland was brought up to date as well and the system rebooted everything was fine. The system in question was local so outside of being offline for the amount of time it took to build userland there wasn't a lot to worry about. What I'm concerned with is this being an issue on a remote system where not being able to get back in after rebooting with just an updated kernel would (if it happened) be a serious issue. Is there a good way to avoid this? Is it safe to skip rebooting between the kernel build and userland build? Or would it work to manually build and install pfctl before the reboot after the kernel build? Or something else that hasn't occurred to me yet? Thanks, Chris NO, it's not always safe to skip rebooting, not is it always safe to reboot, as you have exerrienced. The advise in http://www.openbsd.org/faq/faq5.html 5.2, last paragraph is there for a reason. -Otto as is the rest of FAQ 5.2, questioning why you are building the system from source, and 5.3.2, which is install the closest snapshot. So yes, there are good ways to avoid this problem -- follow the instructions. Nick.
Re: pfctl: DIOCADDRULE: Operation not supported by device
On Mon, May 9, 2011 at 9:57 AM, Nick Holland n...@holland-consulting.net wrote: as is the rest of FAQ 5.2, questioning why you are building the system from source, and 5.3.2, which is install the closest snapshot. It's been running -current for quite some time (and the original install was from the latest snapshot), usually update every week or two, this time there were three weeks in between.
Re: pfctl: DIOCADDRULE: Operation not supported by device
On Sun, May 08, 2011 at 02:54:21PM -0400, Chris Smith wrote: After an update to -current yesterday Internet access was lost as pf.conf could not be loaded. The error message was: pfctl: DIOCADDRULE: Operation not supported by device This error occurred after upgrading the kernel and then rebooting. After userland was brought up to date as well and the system rebooted everything was fine. The system in question was local so outside of being offline for the amount of time it took to build userland there wasn't a lot to worry about. What I'm concerned with is this being an issue on a remote system where not being able to get back in after rebooting with just an updated kernel would (if it happened) be a serious issue. Is there a good way to avoid this? Is it safe to skip rebooting between the kernel build and userland build? Or would it work to manually build and install pfctl before the reboot after the kernel build? Or something else that hasn't occurred to me yet? Thanks, Chris NO, it's not always safe to skip rebooting, not is it always safe to reboot, as you have exerrienced. The advise in http://www.openbsd.org/faq/faq5.html 5.2, last paragraph is there for a reason. -Otto
Re: pfctl: DIOCADDRULE: Operation not supported by device
On 2011-05-08, at 1:54 PM, Chris Smith wrote: After an update to -current yesterday Internet access was lost as pf.conf could not be loaded. The error message was: pfctl: DIOCADDRULE: Operation not supported by device This error occurred after upgrading the kernel and then rebooting. After userland was brought up to date as well and the system rebooted everything was fine. The system in question was local so outside of being offline for the amount of time it took to build userland there wasn't a lot to worry about. What I'm concerned with is this being an issue on a remote system where not being able to get back in after rebooting with just an updated kernel would (if it happened) be a serious issue. Is there a good way to avoid this? Is it safe to skip rebooting between the kernel build and userland build? Or would it work to manually build and install pfctl before the reboot after the kernel build? Or something else that hasn't occurred to me yet? Thanks, Chris Hi, Following the upgrade.html document may be the best approach. What I typically do is build the release on a system (build kernel as well as all binaries and do a make release) and then follow the upgrade.html approach for remote systems after I am sure nothing at the remote branch will break. In our case the remote branch in question is within driving distance and that makes it less risky for me but the procedure has not failed me for close to 10 years. Before 4.x I used to follow a slightly different approach (pax) but since 4.2 or so I have been following the update.html document verbatim. Vijay Vijay Sankar vsan...@foretell.ca
Re: pfctl: DIOCADDRULE: Operation not supported by device
On Sun, 8 May 2011 14:54:21 -0400 Chris Smith obsd_m...@chrissmith.org wrote: Is there a good way to avoid this? Is it safe to skip rebooting between the kernel build and userland build? Or would it work to manually build and install pfctl before the reboot after the kernel build? Or something else that hasn't occurred to me yet? Yes, just skip the reboot. Isn't adviced anymore in upgradeXX.html. Remember to save the old reboot binary as a precaution before building base when running -current or upgrading releases from source.
Re: pfctl: DIOCADDRULE: Operation not supported by device
Op 8-5-2011 21:16, roberth schreef: On Sun, 8 May 2011 14:54:21 -0400 Chris Smithobsd_m...@chrissmith.org wrote: Is there a good way to avoid this? Is it safe to skip rebooting between the kernel build and userland build? Or would it work to manually build and install pfctl before the reboot after the kernel build? Or something else that hasn't occurred to me yet? Yes, just skip the reboot. Isn't adviced anymore in upgradeXX.html. Remember to save the old reboot binary as a precaution before building base when running -current or upgrading releases from source. You are aware that this question concerns following -current? And that you are strongly advised to follow the FAQ when building -current as others already pointed out?
Re: pfctl: DIOCADDRULE: Operation not supported by device
On Sun, 08 May 2011 21:48:25 +0200 Erik o...@vanwesten.net wrote: You are aware that this question concerns following -current? And that you are strongly advised to follow the FAQ when building -current as others already pointed out? Building from source. Got error after kernel reboot. Dude, rtfaq! Kernel and userland out of sync. Build base and reboot... Uhum. Sure that's a way to approach this. That's the supported way. With that ammount of support required. Fine with that. On the otherhand, i have been running -current for years and never have had any problem with building source with the previouse kernel (without reboot) that i can remember. Maybe my 3 digit amount of builds isn't enough or i built at the wrong states of the tree. So let me rephrase, ... Follow the FAQ and do it that way, because then you can come to the list and ask. (Like OP did.) So take my just build base without rebooting as personal advice. Never said anything about this being the project endorsed way. But it works for me, maybe it does for you, too... Don't come asking for help onlist, if you didn't follow the faq thou, might lose you karma. Just try again as the faq says and ask after that. Even if something breaks in the worst way because of not rebooting, simply updating with a snapshot will get you back on track. Concerning remote-updates, from source will run into more problems than from a known good set of tarballs. That's simple statistics, because of how many binarys are involved. (remote console access helps, but still might mess up your sla.)
Re: pfctl: DIOCADDRULE: Operation not supported by device
On Sun, May 8, 2011 at 3:25 PM, roberth rob...@openbsd.pap.st wrote: Uhum. Sure that's a way to approach this. That's the supported way. With that ammount of support required. Fine with that. I usually build the new kernel, major utilities that require the new kernel as per http://openbsd.org/faq/current.html and http://openbsd.org/upgrade*.html. Then reboot to the new kernel, and build userland. I assume the machine is out of production until it's done. On the otherhand, i have been running -current for years and never have had any problem with building source with the previouse kernel (without reboot) that i can remember. The occasional problem exists. Mostly due to a kernel call after a library is installed before the userland is upgraded. Concerning remote-updates, from source will run into more problems than from a known good set of tarballs. That's simple statistics, because of how many binarys are involved. (remote console access helps, but still might mess up your sla.) I always build release from an already upgraded master build server, so there's no potentially off binaries being distributed. jb