There were error(s) loading the rules: pfctl: DIOCADDRULENV: Device busy

[clas.martens]

Greetings.

For a while now, we have had an HA cluster in the data center running on new hardware from Decisio. Before the firewall was moved, a large number of aliases were created in the new OPNsense. Later, after the firewall was put into operation, major cleanup work was required on the aliases. This is exactly when something very unpleasant happened. When the changes were applied, unexpected behavior related to the set rules occurred several times. A small further change to the rules and their application restored the desired state. A little later, it turned out that there was also a log entry for each case. So at least we had the control not to overlook anything.

The following lines indicate that it has happened again:
There were error(s) loading the rules: pfctl: DIOCADDRULENV: Device busy
/usr/local/etc/rc.filter_configure: The command '/sbin/pfctl -f /tmp/rules.debug.old' returned exit code '1', the output was 'pfctl: DIOCADDRULENV: Device busy'

We noticed that no more cases were added after the clean-up work on the alisases.
If I remember correctly, this only happened when I made a lot of changes to the aliases at once and these were then applied.

Nevertheless, we are concerned about the behavior of the firewall and now look at the log files after every rule change.


Thank you.


Hardware:
DEC2752

Versions:
OPNsense 24.10.1-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15