pfSense

Currently when a filter reload fails the system falls back to the previous ruleset, leaving the bad ruleset in place. If the filter reload eventually succeeds on a subsequent reload (e.g. during boot), the bad ruleset will no longer be present to aid in debugging the problem.

It's simple enough to copy the bad ruleset when it fails, like so:

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index 70a02ce5a7..71bcf1de60 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -1204,6 +1204,11 @@ function reload_filter() {
                        } elseif (file_exists("{$g['cf_conf_path']}/rules.debug.old")) {
                                $_grbg = exec("/sbin/pfctl -o basic -f {$g['cf_conf_path']}/rules.debug.old 2>&1");
                        }
+
+                       /* Save the bad ruleset */
+                       @copy("{$g['tmp_path']}/rules.debug",
+                           "{$g['cf_conf_path']}/rules.debug.bad");
+
                        if ($line_error and $line_number) {
                                file_notice("filter_load", sprintf(gettext('There were error(s) loading the rules%3$s: %1$s - %2$s'), $saved_line_error, $line_error, (empty($rules_result) ? '' : ' (' . strval($rules_result) . ')')), "Filter Reload", "");
                                update_filter_reload_status(sprintf(gettext('There were error(s) loading the rules%3$s: %1$s - %2$s'), $saved_line_error, $line_error, (empty($rules_result) ? '' : ' (' . strval($rules_result) . ')')));

However, this only keeps one copy from one failure. That may be sufficient, though. We could make a copy with a timestamp, but most likely we don't need to keep multiple copies since they could pile up if there are repeated problems.