Project

General

Profile

Bug #4274

Marking a packet with only a number results in a broken rule

Added by Jonathan Dieter over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
Rules/NAT
Target version:
Start date:
01/24/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.2
Affected Architecture:

Description

I have a lot of floating rules used to mark packets with a number that I then catch later to do traffic shaping. This has worked perfectly in 2.0 and 2.1, but when I upgraded to 2.2, I started getting this message:

[ There were error(s) loading the rules: /tmp/rules.debug:326: syntax error - The line in question reads [326]: match in quick on { em0 } inet from $Servers to any tag 18 tracker 1422096771 label USER_RULE: Servers other]

Where $Servers is an alias for a couple of IP ranges. Removing the mark in Advanced Options makes the rule work (though obviously that screws up my traffic shaping).

I don't know if this has something to do with the fact that my tags are numbers.

Associated revisions

Revision 6a2f0ad7 (diff)
Added by Ermal Luçi over 4 years ago

Fixes #4274 same fix as #4302 enclose in double quotes to tell yacc this is a string to be parsed.

Revision 1fbae628 (diff)
Added by Ermal Luçi over 4 years ago

Fixes #4274 same fix as #4302 enclose in double quotes to tell yacc this is a string to be parsed.

History

#1 Updated by Jonathan Dieter over 4 years ago

Sorry, just realized I didn't list this as applying to 2.2 and it doesn't seem that I'm able to change it now.

#2 Updated by Jim Pingle over 4 years ago

  • Subject changed from Unable to mark packet with number in floating rule in pfSense 2.2 to Marking a packet with only a number results in a broken rule
  • Category set to Rules/NAT
  • Status changed from New to Confirmed
  • Assignee set to Ermal Luçi
  • Target version set to 2.2.1
  • Affected Version set to 2.2

Confirmed. If you place a purely numerical value in the "You can mark a packet matching this rule and use this mark to match on other NAT/filter rules. It is called Policy filtering" advanced option, the resulting rule generates an error from pf.

You can place a text value ("foo"), or a value that starts with text ("foo18") or ends with text ("18foo"), but not one that is purely numerical ("18").

#3 Updated by Ermal Luçi over 4 years ago

  • Status changed from Confirmed to Feedback

#4 Updated by Ermal Luçi over 4 years ago

  • % Done changed from 0 to 100

#5 Updated by Ermal Luçi over 4 years ago

#6 Updated by Jonathan Dieter over 4 years ago

Just wanted to say I've verified this works. Thanks so much for the quick response.

#7 Updated by Chris Buechler over 4 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF