Bug #12803
closedError loading ruleset due to illegal TOS value
100%
Description
I updated my Pfsense CE installation from 2.5.2 to 2.6.0 today. After the update I was getting errors showing that there were syntax errors in my rules matching on DSCP priority. I had to disable the rules I had matching on CS7 in order to get the firewall to pass traffic again. After trying several of the Diffserv Code Point options I was able to determine that some of the "afXX" options work but it seems that none of the "csX" options work and result in syntax errors. Here is the specific error I'm getting:
There were error(s) loading the rules: /tmp/rules.debug:278: illegal tos value 56 - The line in question reads [278]: match log on { WAN_Group } inet proto udp from any to any port $Zoom_UDP tos "56" ridentifier 1589829693 queue (qLowDelay) label "USER_RULE: Zoom Uploads (match CS7 audio dscp)--2"
Here is the rule that is causing the issue:
<rule> <id></id> <tracker>1589829693</tracker> <type>match</type> <interface>WAN_Group</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <direction>any</direction> <floating>yes</floating> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <protocol>udp</protocol> <source> <any></any> </source> <destination> <any></any> <port>Zoom_UDP</port> </destination> <dscp>cs7</dscp> <log></log> <descr><![CDATA[Zoom Uploads (match CS7 audio dscp)--2]]></descr> <defaultqueue>qLowDelay</defaultqueue> <created> <time>1589829693</time> <username><![CDATA[admin@192.168.120.71 (Local Database)]]></username> </created> <updated> <time>1644956550</time> <username><![CDATA[admin@192.168.120.145 (Local Database)]]></username> </updated> </rule>
Disabling the rule allows my other rules to load but I have no workaround for my traffic shaping matching.
Searching for anything similar for bugs I found the following post. https://redmine.pfsense.org/issues/12040#note-1
I'm not sure if it is relevant but the dscp and tos were renamed in some release after 2.5.2 and presumably could have created a bug. I manually edited the rule and changed the tags <dscp>cs7</dscp> to <tos>cs7</tos> and did a filter reload and it no longer created the error, so maybe there's something there. I'm a long time pfsense user, however not a programmer :)
Related issues
Updated by Viktor Gurov almost 3 years ago
Updated by Jim Pingle almost 3 years ago
- Status changed from New to Pull Request Review
- Assignee changed from Kristof Provost to Jim Pingle
- Target version set to 2.7.0
- Plus Target Version set to 22.05
Changing the config.xml from <dcsp>
to <tos>
didn't fix the rule, it made the filter rule generation skip the value entirely since <tos>
isn't valid.
Looks like pf went back to not requiring quotes around these (See #4302 for some history). If I remove the quotes, the rules load and appear to have the correct value in the ruleset.
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index bae95805ca57cb87e51729b9b6b8956fb1f4aaf3..c08b38086bc1f8c4ea41497074f28e5debf943fb 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -3223,31 +3223,31 @@ function filter_generate_user_rule($rule) {
if (!empty($rule['dscp'])) {
switch (strtolower($rule['dscp'])) {
case 'va':
- $aline['dscp'] = " tos \"44\" ";
+ $aline['dscp'] = " tos 44 ";
break;
case 'VA':
- $aline['dscp'] = " tos \"44\" ";
+ $aline['dscp'] = " tos 44 ";
break;
case 'cs1':
- $aline['dscp'] = " tos \"8\" ";
+ $aline['dscp'] = " tos 8 ";
break;
case 'cs2':
- $aline['dscp'] = " tos \"16\" ";
+ $aline['dscp'] = " tos 16 ";
break;
case 'cs3':
- $aline['dscp'] = " tos \"24\" ";
+ $aline['dscp'] = " tos 24 ";
break;
case 'cs4':
- $aline['dscp'] = " tos \"32\" ";
+ $aline['dscp'] = " tos 32 ";
break;
case 'cs5':
- $aline['dscp'] = " tos \"40\" ";
+ $aline['dscp'] = " tos 40 ";
break;
case 'cs6':
- $aline['dscp'] = " tos \"48\" ";
+ $aline['dscp'] = " tos 48 ";
break;
case 'cs7':
- $aline['dscp'] = " tos \"56\" ";
+ $aline['dscp'] = " tos 56 ";
break;
default:
$aline['dscp'] = " tos " . $rule['dscp'] . " ";
MR: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/622
Updated by Jim Pingle almost 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset b7b78ea1b14555972efaf7e6c47e48709ad1c199.
Updated by Viktor Gurov almost 3 years ago
- Has duplicate Bug #12846: Illegal tos value for certain diffserv values added
Updated by Danilo Zrenjanin almost 3 years ago
- Status changed from Feedback to Resolved
Replicated the issue on the:
2.6.0-RELEASE (amd64) built on Mon Jan 31 19:57:53 UTC 2022 FreeBSD 12.3-STABLE
Retested on the:
2.7.0-DEVELOPMENT (amd64) built on Thu Feb 24 06:20:06 UTC 2022 FreeBSD 12.3-STABLE
It works fine. I am marking this ticket resolved.
Updated by Jim Pingle over 2 years ago
- Subject changed from /tmp/rules.debug - error(s) loading the rules: /tmp/rules.debug:278: illegal tos value 56 to Error loading ruleset due to illegal TOS value
Updating subject for release notes.