Bug 223093

Summary: /dev/pf locks disrupt other pf-dependent services (ftp-proxy, tftp-proxy, relayd, pfctl, etc)
Product: Base System Reporter: jjasen
Component: kernAssignee: freebsd-pf (Nobody) <pf>
Status: Closed Overcome By Events    
Severity: Affects Some People CC: eri, kp
Priority: ---    
Version: 10.4-RELEASE   
Hardware: amd64   
OS: Any   

Description jjasen 2017-10-18 13:54:34 UTC 
A firewall system running pf, with ftp-proxy, tftp-proxy and relayd in active use can encounter conditions where one or more of the supporting services or utilities will fail.

For example, while ftp-proxy has a lock on /dev/pf, relayd cannot make changes and will crash (reference bug 213859). 

Additionally, if tftp-proxy has a lock on /dev/pf, the ftp-proxy connection will fail. Conversely, if something has a lock on /dev/pf, tftp-proxy will abort and retry.
Comment 1 Ermal Luçi freebsd_committer freebsd_triage 2017-10-18 23:58:34 UTC 
Are you reporting the issue for the pf utilities or pf itself?
Comment 2 jjasen 2017-10-19 01:57:05 UTC 
I'd speculate the issue is with /dev/pf itself, which would be pf.
Comment 3 Kristof Provost freebsd_committer freebsd_triage 2017-10-21 11:29:41 UTC 
(In reply to jjasen from comment #2)
The changes these tools make are transactional: they first DIOCXBEGIN and end with DIOCXCOMMIT. If a different tool tries to start a transaction (i.e. do DIOCXBEGIN) it will get EBUSY. It's up to the tool to restart a bit later.
Comment 4 Kristof Provost freebsd_committer freebsd_triage 2019-02-01 13:30:45 UTC 
10.4 is no longer supported, and this is a missing feature in the listed tools, not in pf.