Project

General

Profile

Regression #11857

Match rules cause pf error parsing rules

Added by Jim Pingle about 2 months ago. Updated 19 days ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
Rules / NAT
Target version:
Start date:
04/27/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Force Exclusion
Affected Version:
2.6.x
Affected Architecture:
All

Description

Having a match rule, either manually or from ALTQ traffic shaping, leads to a pfctl error loading the rules:

pfctl: Invalid rule type 12

Happens on Plus 21.05 snapshots as well as 2.6.0 snapshots.

Simple to reproduce, add a rule on the Floating tab with the action set to match. The other parameters don't seem to matter, so set a random TCP port, save and apply. Then after applying, there will be an notification of the error.

Remove the match rule(s) and/or remove ATLQ traffic shaping and the rules load as expected.

Rule from /tmp/rules.debug:

match  on {  ix3  } inet proto tcp  from any to any port 65164 tracker 1619532858 flags S/SA  label "USER_RULE: match test" 

Same rules load fine on 21.02.2/2.5.1.

History

#1 Updated by Brad Hawkins about 1 month ago

I am seeing the exact same issue on my Negate 3100.
The first time I upgraded from 21.02 to 21.05 all outbound traffic was blocked until all traffic shaping rules were removed.
Since removing the rules I can re-add the traffic shaper and still see the pfctl: Invalid rule type 12 error but outbound traffic continues to flow.

#2 Updated by Jim Pingle 29 days ago

  • Assignee set to Luiz Souza
  • Target version changed from 21.05 to 2.6.0
  • Plus Target Version set to 21.05

#3 Updated by Kristof Provost 28 days ago

Confirmed, and tracked down to a merge conflict. Fix pushed to the development branches, and merge request opened for the 21_05 branch.

#4 Updated by Jim Pingle 28 days ago

  • Status changed from New to Feedback

Commit was merged, will test once it's in a build.

#5 Updated by Jim Pingle 27 days ago

  • % Done changed from 0 to 100

match rules load OK on pfSense Plus snapshot 21.05.r.20210519.0300, there isn't a new CE snapshot yet that has the fix to test.

#6 Updated by Jim Pingle 25 days ago

  • Status changed from Feedback to Closed

Match rules are also working on 2.6.0.a.20210520.0100 -- closing.

#7 Updated by Jim Pingle 21 days ago

  • Release Notes changed from Default to Force Exclusion

Excluding from release notes since it was a problem introduced by changes after the last release.

#8 Updated by Jim Pingle 19 days ago

  • Target version changed from 2.6.0 to 2.5.2

Also available in: Atom PDF