Regression #11857: Match rules cause pf error parsing rules - pfSense - pfSense bugtracker

Actions

Copy link

Regression #11857

closed

Match rules cause pf error parsing rules

Added by Jim Pingle about 3 years ago. Updated almost 3 years ago.

Status:

Closed

Priority:

Urgent

Assignee:

Luiz Souza

Category:

Rules / NAT

Target version:

2.5.2

Start date:

04/27/2021

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

21.05

Release Notes:

Force Exclusion

Affected Version:

2.6.x

Affected Architecture:

All

Description

Having a match rule, either manually or from ALTQ traffic shaping, leads to a pfctl error loading the rules:

pfctl: Invalid rule type 12

Happens on Plus 21.05 snapshots as well as 2.6.0 snapshots.

Simple to reproduce, add a rule on the Floating tab with the action set to match. The other parameters don't seem to matter, so set a random TCP port, save and apply. Then after applying, there will be an notification of the error.

Remove the match rule(s) and/or remove ATLQ traffic shaping and the rules load as expected.

Rule from /tmp/rules.debug:

match  on {  ix3  } inet proto tcp  from any to any port 65164 tracker 1619532858 flags S/SA  label "USER_RULE: match test"

Same rules load fine on 21.02.2/2.5.1.

Actions

Copy link

Updated by Brad Hawkins almost 3 years ago

I am seeing the exact same issue on my Negate 3100.
The first time I upgraded from 21.02 to 21.05 all outbound traffic was blocked until all traffic shaping rules were removed.
Since removing the rules I can re-add the traffic shaper and still see the pfctl: Invalid rule type 12 error but outbound traffic continues to flow.

Actions

Copy link

Updated by Jim Pingle almost 3 years ago

Assignee set to Luiz Souza
Target version changed from 21.05 to 2.6.0
Plus Target Version set to 21.05

Actions

Copy link

Target version changed from 2.6.0 to 2.5.2

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries