Bug #16182
closed
Firewall rules using interface subnet aliases may prevent filter rules from loading after upgrades
Added by Marcos M 11 days ago.
Updated 11 days ago.
Plus Target Version:
25.03
Description
Sometimes after upgrades with pfBlockerNG installed, there will be an alert on the dashboard stating that the filter failed to load the rules. For example:
There were error(s) loading the rules: /tmp/rules.debug:684: macro 'ALL_VLANS__NETWORK' not defined - The line in question reads [684]: pass in quick on $LAN inet from $admin_devices to $ALL_VLANS__NETWORK ridentifier 1746201666 keep state label "USER_RULE: Allow admin access to every VLAN" label "id:1746201666"
@ 2025-05-09 17:11:36
See https://forum.netgate.com/topic/197392/
- Subject changed from Firewall rules using interface network aliases may prevent filter rules from loading after upgrades to Firewall rules using interface subnet aliases may prevent filter rules from loading after upgrades
- Status changed from In Progress to Feedback
Fixed with a8e5ba643026ee11001dbeff48246ec9fbd07cc9.
This changes the behavior for interface "subnet" aliases to be included in /tmp/rules.debug even when the alias is empty. This matches how other aliases are handled. When an alias is empty and a rule references it, we rely on pf to do the right thing. Ideally all aliases would be tracked between filter table and rule generation to avoid the race where the alias would be empty when the table is generated but not when the rule is generated. That would be a more fundamental change that affects all aliases.
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
Tested working by original reporter.
Also available in: Atom
PDF
Updated by 
Updated by