Project

General

Profile

Actions

Regression #15539

closed

PF syntax error when ``pflow`` is present on ``block`` rules

Added by Jim Pingle 6 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Force Exclusion
Affected Plus Version:
24.08
Affected Architecture:

Description

Something either changed in rule generation or pf that is now triggering a syntax error for rules which have the pflow keyword by default and happen to be block rules:

: pfctl -f /tmp/rules.debug
/tmp/rules.debug:291: syntax error
/tmp/rules.debug:292: syntax error
pfctl: Syntax error in config file: pf rules not loaded
: sed -n 291,292p /tmp/rules.debug
block return  in  quick  on $OPTX inet from any to (self) ridentifier 1658427801 (pflow ) label "USER_RULE: Reject all other traffic to the firewall" label "id:1658427801" 
block return  in  quick  on $OPTX inet from any to $PrivateNets ridentifier 1658427827 (pflow ) label "USER_RULE: Reject all other traffic to private networks" label "id:1658427827" 

IIRC it used to skip pflow on block rules in the past automatically but it's also possible pf ignored it before and doesn't now.

Actions

Also available in: Atom PDF