Todo #16796
closed
Retain a copy of the failed ruleset when a filter reload fails
100%
Description
Currently when a filter reload fails the system falls back to the previous ruleset, leaving the bad ruleset in place. If the filter reload eventually succeeds on a subsequent reload (e.g. during boot), the bad ruleset will no longer be present to aid in debugging the problem.
It's simple enough to copy the bad ruleset when it fails, like so:
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index 70a02ce5a7..71bcf1de60 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -1204,6 +1204,11 @@ function reload_filter() {
} elseif (file_exists("{$g['cf_conf_path']}/rules.debug.old")) {
$_grbg = exec("/sbin/pfctl -o basic -f {$g['cf_conf_path']}/rules.debug.old 2>&1");
}
+
+ /* Save the bad ruleset */
+ @copy("{$g['tmp_path']}/rules.debug",
+ "{$g['cf_conf_path']}/rules.debug.bad");
+
if ($line_error and $line_number) {
file_notice("filter_load", sprintf(gettext('There were error(s) loading the rules%3$s: %1$s - %2$s'), $saved_line_error, $line_error, (empty($rules_result) ? '' : ' (' . strval($rules_result) . ')')), "Filter Reload", "");
update_filter_reload_status(sprintf(gettext('There were error(s) loading the rules%3$s: %1$s - %2$s'), $saved_line_error, $line_error, (empty($rules_result) ? '' : ' (' . strval($rules_result) . ')')));
However, this only keeps one copy from one failure. That may be sufficient, though. We could make a copy with a timestamp, but most likely we don't need to keep multiple copies since they could pile up if there are repeated problems.
Updated by Jim Pingle 1 day ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Implemented in 3a0eddea39b2a6d6cd8deadde6efbf98dd4332fe
Updated by Jim Pingle about 6 hours ago
- Status changed from Feedback to Resolved
Deliberately causing a filter reload error leaves the failing copy in place at /conf/rules.debug.bad as expected now. Closing.