Bug #16182
closed
Firewall rules using interface subnet aliases may prevent filter rules from loading after upgrades
100%
Description
Sometimes after upgrades with pfBlockerNG installed, there will be an alert on the dashboard stating that the filter failed to load the rules. For example:
There were error(s) loading the rules: /tmp/rules.debug:684: macro 'ALL_VLANS__NETWORK' not defined - The line in question reads [684]: pass in quick on $LAN inet from $admin_devices to $ALL_VLANS__NETWORK ridentifier 1746201666 keep state label "USER_RULE: Allow admin access to every VLAN" label "id:1746201666" @ 2025-05-09 17:11:36
Updated by Marcos M 11 days ago
- Subject changed from Firewall rules using interface network aliases may prevent filter rules from loading after upgrades to Firewall rules using interface subnet aliases may prevent filter rules from loading after upgrades
- Status changed from In Progress to Feedback
Fixed with a8e5ba643026ee11001dbeff48246ec9fbd07cc9.
This changes the behavior for interface "subnet" aliases to be included in /tmp/rules.debug even when the alias is empty. This matches how other aliases are handled. When an alias is empty and a rule references it, we rely on pf to do the right thing. Ideally all aliases would be tracked between filter table and rule generation to avoid the race where the alias would be empty when the table is generated but not when the rule is generated. That would be a more fundamental change that affects all aliases.
Updated by Marcos M 11 days ago
- % Done changed from 0 to 100
Applied in changeset a8e5ba643026ee11001dbeff48246ec9fbd07cc9.
Updated by Patrik Stahlman 11 days ago
I have verified that the patch fixes the issue, using the instruction in https://forum.netgate.com/post/1214308