Project

General

Profile

Actions

Bug #12803

closed

Error loading ruleset due to illegal TOS value

Added by Michael Berry over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

I updated my Pfsense CE installation from 2.5.2 to 2.6.0 today. After the update I was getting errors showing that there were syntax errors in my rules matching on DSCP priority. I had to disable the rules I had matching on CS7 in order to get the firewall to pass traffic again. After trying several of the Diffserv Code Point options I was able to determine that some of the "afXX" options work but it seems that none of the "csX" options work and result in syntax errors. Here is the specific error I'm getting:

There were error(s) loading the rules: /tmp/rules.debug:278: illegal tos value 56 - The line in question reads [278]: match log on { WAN_Group } inet proto udp from any to any port $Zoom_UDP tos "56" ridentifier 1589829693 queue (qLowDelay) label "USER_RULE: Zoom Uploads (match CS7 audio dscp)--2" 

Here is the rule that is causing the issue:

<rule>
            <id></id>
            <tracker>1589829693</tracker>
            <type>match</type>
            <interface>WAN_Group</interface>
            <ipprotocol>inet</ipprotocol>
            <tag></tag>
            <tagged></tagged>
            <direction>any</direction>
            <floating>yes</floating>
            <max></max>
            <max-src-nodes></max-src-nodes>
            <max-src-conn></max-src-conn>
            <max-src-states></max-src-states>
            <statetimeout></statetimeout>
            <statetype><![CDATA[keep state]]></statetype>
            <os></os>
            <protocol>udp</protocol>
            <source>
                <any></any>
            </source>
            <destination>
                <any></any>
                <port>Zoom_UDP</port>
            </destination>
            <dscp>cs7</dscp>
            <log></log>
            <descr><![CDATA[Zoom Uploads (match CS7 audio dscp)--2]]></descr>
            <defaultqueue>qLowDelay</defaultqueue>
            <created>
                <time>1589829693</time>
                <username><![CDATA[admin@192.168.120.71 (Local Database)]]></username>
            </created>
            <updated>
                <time>1644956550</time>
                <username><![CDATA[admin@192.168.120.145 (Local Database)]]></username>
            </updated>
        </rule>

Disabling the rule allows my other rules to load but I have no workaround for my traffic shaping matching.

Searching for anything similar for bugs I found the following post. https://redmine.pfsense.org/issues/12040#note-1
I'm not sure if it is relevant but the dscp and tos were renamed in some release after 2.5.2 and presumably could have created a bug. I manually edited the rule and changed the tags <dscp>cs7</dscp> to <tos>cs7</tos> and did a filter reload and it no longer created the error, so maybe there's something there. I'm a long time pfsense user, however not a programmer :)


Related issues

Has duplicate Bug #12846: Illegal tos value for certain diffserv valuesDuplicateKristof Provost

Actions
Actions #2

Updated by Viktor Gurov over 2 years ago

  • Assignee set to Kristof Provost
Actions #3

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Pull Request Review
  • Assignee changed from Kristof Provost to Jim Pingle
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05

Changing the config.xml from <dcsp> to <tos> didn't fix the rule, it made the filter rule generation skip the value entirely since <tos> isn't valid.

Looks like pf went back to not requiring quotes around these (See #4302 for some history). If I remove the quotes, the rules load and appear to have the correct value in the ruleset.

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index bae95805ca57cb87e51729b9b6b8956fb1f4aaf3..c08b38086bc1f8c4ea41497074f28e5debf943fb 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -3223,31 +3223,31 @@ function filter_generate_user_rule($rule) {
     if (!empty($rule['dscp'])) {
         switch (strtolower($rule['dscp'])) {
             case 'va':
-                $aline['dscp'] = " tos \"44\" ";
+                $aline['dscp'] = " tos 44 ";
                 break;
             case 'VA':
-                $aline['dscp'] = " tos \"44\" ";
+                $aline['dscp'] = " tos 44 ";
                 break;
             case 'cs1':
-                $aline['dscp'] = " tos \"8\" ";
+                $aline['dscp'] = " tos 8 ";
                 break;
             case 'cs2':
-                $aline['dscp'] = " tos \"16\" ";
+                $aline['dscp'] = " tos 16 ";
                 break;
             case 'cs3':
-                $aline['dscp'] = " tos \"24\" ";
+                $aline['dscp'] = " tos 24 ";
                 break;
             case 'cs4':
-                $aline['dscp'] = " tos \"32\" ";
+                $aline['dscp'] = " tos 32 ";
                 break;
             case 'cs5':
-                $aline['dscp'] = " tos \"40\" ";
+                $aline['dscp'] = " tos 40 ";
                 break;
             case 'cs6':
-                $aline['dscp'] = " tos \"48\" ";
+                $aline['dscp'] = " tos 48 ";
                 break;
             case 'cs7':
-                $aline['dscp'] = " tos \"56\" ";
+                $aline['dscp'] = " tos 56 ";
                 break;
             default:
                 $aline['dscp'] = " tos " . $rule['dscp'] . " ";

MR: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/622

Actions #4

Updated by Jim Pingle over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Viktor Gurov over 2 years ago

  • Has duplicate Bug #12846: Illegal tos value for certain diffserv values added
Actions #6

Updated by Danilo Zrenjanin over 2 years ago

  • Status changed from Feedback to Resolved

Replicated the issue on the:

2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

Retested on the:

2.7.0-DEVELOPMENT (amd64)
built on Thu Feb 24 06:20:06 UTC 2022
FreeBSD 12.3-STABLE

It works fine. I am marking this ticket resolved.

Actions #7

Updated by Jim Pingle over 2 years ago

  • Subject changed from /tmp/rules.debug - error(s) loading the rules: /tmp/rules.debug:278: illegal tos value 56 to Error loading ruleset due to illegal TOS value

Updating subject for release notes.

Actions

Also available in: Atom PDF