Project

General

Profile

Actions
Copy link

Regression #15539

closed

PF syntax error when ``pflow`` is present on ``block`` rules

Added by Jim Pingle 6 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
High
Assignee:
Marcos M
Category:
Rules / NAT
Target version:
24.11
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Force Exclusion
Affected Plus Version:
24.08
Affected Architecture:

Description

Something either changed in rule generation or pf that is now triggering a syntax error for rules which have the pflow keyword by default and happen to be block rules:

: pfctl -f /tmp/rules.debug
/tmp/rules.debug:291: syntax error
/tmp/rules.debug:292: syntax error
pfctl: Syntax error in config file: pf rules not loaded

: sed -n 291,292p /tmp/rules.debug
block return  in  quick  on $OPTX inet from any to (self) ridentifier 1658427801 (pflow ) label "USER_RULE: Reject all other traffic to the firewall" label "id:1658427801" 
block return  in  quick  on $OPTX inet from any to $PrivateNets ridentifier 1658427827 (pflow ) label "USER_RULE: Reject all other traffic to private networks" label "id:1658427827"

IIRC it used to skip pflow on block rules in the past automatically but it's also possible pf ignored it before and doesn't now.

Actions
Copy link
 #1

Updated by Marcos M 6 months ago

  • Status changed from Confirmed to In Progress
  • Assignee set to Marcos M
  • Release Notes changed from Default to Force Exclusion
  • Affected Plus Version set to 24.08
Actions
Copy link
 #2

Updated by Marcos M 6 months ago

  • Status changed from In Progress to Resolved

Fixed with 91628a2ed3d32140a2ee66806504590a65e2654f.

Actions
Copy link

Also available in: Atom PDF