Project

General

Profile

Actions

Bug #12803

closed

Error loading ruleset due to illegal TOS value

Added by Michael Berry almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

I updated my Pfsense CE installation from 2.5.2 to 2.6.0 today. After the update I was getting errors showing that there were syntax errors in my rules matching on DSCP priority. I had to disable the rules I had matching on CS7 in order to get the firewall to pass traffic again. After trying several of the Diffserv Code Point options I was able to determine that some of the "afXX" options work but it seems that none of the "csX" options work and result in syntax errors. Here is the specific error I'm getting:

There were error(s) loading the rules: /tmp/rules.debug:278: illegal tos value 56 - The line in question reads [278]: match log on { WAN_Group } inet proto udp from any to any port $Zoom_UDP tos "56" ridentifier 1589829693 queue (qLowDelay) label "USER_RULE: Zoom Uploads (match CS7 audio dscp)--2" 

Here is the rule that is causing the issue:

<rule>
            <id></id>
            <tracker>1589829693</tracker>
            <type>match</type>
            <interface>WAN_Group</interface>
            <ipprotocol>inet</ipprotocol>
            <tag></tag>
            <tagged></tagged>
            <direction>any</direction>
            <floating>yes</floating>
            <max></max>
            <max-src-nodes></max-src-nodes>
            <max-src-conn></max-src-conn>
            <max-src-states></max-src-states>
            <statetimeout></statetimeout>
            <statetype><![CDATA[keep state]]></statetype>
            <os></os>
            <protocol>udp</protocol>
            <source>
                <any></any>
            </source>
            <destination>
                <any></any>
                <port>Zoom_UDP</port>
            </destination>
            <dscp>cs7</dscp>
            <log></log>
            <descr><![CDATA[Zoom Uploads (match CS7 audio dscp)--2]]></descr>
            <defaultqueue>qLowDelay</defaultqueue>
            <created>
                <time>1589829693</time>
                <username><![CDATA[admin@192.168.120.71 (Local Database)]]></username>
            </created>
            <updated>
                <time>1644956550</time>
                <username><![CDATA[admin@192.168.120.145 (Local Database)]]></username>
            </updated>
        </rule>

Disabling the rule allows my other rules to load but I have no workaround for my traffic shaping matching.

Searching for anything similar for bugs I found the following post. https://redmine.pfsense.org/issues/12040#note-1
I'm not sure if it is relevant but the dscp and tos were renamed in some release after 2.5.2 and presumably could have created a bug. I manually edited the rule and changed the tags <dscp>cs7</dscp> to <tos>cs7</tos> and did a filter reload and it no longer created the error, so maybe there's something there. I'm a long time pfsense user, however not a programmer :)


Related issues

Has duplicate Bug #12846: Illegal tos value for certain diffserv valuesDuplicateKristof Provost

Actions
Actions

Also available in: Atom PDF