Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New pfblockerNG install Database Sanity check Failed

    Scheduled Pinned Locked Moved pfBlockerNG
    31 Posts 8 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tinfoilmattT
      tinfoilmatt @marchand.guy
      last edited by

      @marchand-guy What do you see in the error.log file? Anything else relevant printed to the pfblockerng.log file?

      M 1 Reply Last reply Reply Quote 0
      • M
        marchand.guy @tinfoilmatt
        last edited by

        @tinfoilmatt Nothing relevant in pfblockerng.log, aside from the reported error.
        What I found is that the masterfile has indeed 81362 entries, but the deny files amount to 81364. Comparing the 2, I see that the deny files have 127.1.7.7 listed 3 times instead of 1 in the masterfile. So somehow the code is mishandling the duplicates between the 2 files.

        BBcan177B 1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator @marchand.guy
          last edited by

          @marchand-guy

          The code should handle the blank file ip placeholder.

          Starts at Line 1232 to 1289
          https://github.com/pfsense/FreeBSD-ports/blob/0acb5dc2ad321340aafdf282a20f9c02762d49d5/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/pkg/pfblockerng/pfblockerng.sh#L1232

          Maybe there is some corner case the code is missing?

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          M 1 Reply Last reply Reply Quote 1
          • M
            marchand.guy @BBcan177
            last edited by

            @BBcan177 I am not a programmer. But a simple "sort -u" of the deny files entries bring them back to 81362. Just saying...

            tinfoilmattT 1 Reply Last reply Reply Quote 0
            • tinfoilmattT
              tinfoilmatt @marchand.guy
              last edited by

              @marchand-guy Did you compare your pfblocker.sh to the appropriate branch version?

              What version of pfSense? What version of pfBlockerNG/-devel?

              M 1 Reply Last reply Reply Quote 0
              • M
                marchand.guy @tinfoilmatt
                last edited by

                @tinfoilmatt
                2.8.0-RELEASE (amd64)
                built on Wed May 21 19:12:00 EDT 2025
                FreeBSD 15.0-CURRENT

                The system is on the latest version.
                Version information updated at Sat May 31 15:09:52 EDT

                pfBlockerNG net 3.2.8
                (yes I tried the -devel version prior to this one. no difference)

                1 Reply Last reply Reply Quote 0
                • M
                  Maltz
                  last edited by Maltz

                  I'm seeing the same off-by-one error on my system. I'm running the same versions as marchand.guy.

                  What is the impact of this error? Does it prevent any functionality?

                  1 Reply Last reply Reply Quote 0
                  • M
                    madmaxpr
                    last edited by

                    @SteveITS Still seeing this error myself but have no further info. It does seem to function, just with the error being shown when it updates/reloads.

                    1 Reply Last reply Reply Quote 0
                    • T
                      TheXman
                      last edited by TheXman

                      I was experiencing the same issue too.

                      After comparing /usr/local/pkg/pfblockerng/pfblockerng.sh from 3.2.0 to 3.2.8, there was only 1 line that changed and it happened to be related to this issue. After reverting that line (#1281) back to the way it was in 3.2.0, the "Sanity Check" works as expected.

                      Here are the lines as they exist in their respective versions.

                      #Line 1281 in 3.2.0
                      if [ "${s1} == ${s2}" ]; then
                      
                      #Line 1281 in 3.2.8
                      if [ "${s1}" == "${s2}" ]; then
                      

                      Edit: Corrected my references to pfBlockerNG version numbers. Thanks @Maltz

                      M 1 Reply Last reply Reply Quote 1
                      • M
                        Maltz @TheXman
                        last edited by Maltz

                        @TheXman Wouldn't the 2.7.2 version always evaluate as true, since the string is non-null? It looks like the sanity check was fixed in 2.8.0, exposing some other issue that may have been there all along but was hidden by the broken sanity check.

                        (Edit: I guess the version numbers should be 3.2.0_8 and 3.2.8, respectively, since we're talking about pfBlockerNG and not pfSense itself.)

                        M 1 Reply Last reply Reply Quote 1
                        • M
                          marchand.guy @Maltz
                          last edited by

                          @Maltz That is an excellent hypothesis!

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            marchand.guy @marchand.guy
                            last edited by marchand.guy

                            @marchand-guy Verified hypothesis. The code always reported true before 3.2.8.
                            Good catch

                            1 Reply Last reply Reply Quote 0
                            • tinfoilmattT
                              tinfoilmatt
                              last edited by

                              Looks like dev (@BBcan177) is already reviewing. Good teamwork, y'all.

                              Responsible commit here. Remark indicates it was a cleanup commit. I don't have the coding skills to say for sure, but this pfblocker.php update and this pfblocker_alerts.php update look odd for some reason, in addition to whatever the pfblockerng.sh L1281 fix exposed.

                              @marcosm

                              BBcan177B 1 Reply Last reply Reply Quote 0
                              • BBcan177B
                                BBcan177 Moderator @tinfoilmatt
                                last edited by

                                I think I found the last issue. The "masterfile" is a list of Filename/IPs. The "mastercat" file is just the IPs only. So it was trying to grep -v (exclude) any lines that start with the placeholder IP. So we need to change the masterfile to the mastercat in this line.

                                Try to change this line from:

                                From:
                                s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})"

                                To:
                                s1="$(grep -cv ^${ip_placeholder2}$ ${mastercat})"

                                "Experience is something you don't get until just after you need it."

                                Website: http://pfBlockerNG.com
                                Twitter: @BBcan177  #pfBlockerNG
                                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                T M S 3 Replies Last reply Reply Quote 4
                                • T
                                  TheXman @BBcan177
                                  last edited by

                                  @BBcan177 Thank you!

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    Maltz @BBcan177
                                    last edited by

                                    @BBcan177 Success!

                                    Database Sanity check [ PASSED ]

                                    M 1 Reply Last reply Reply Quote 0
                                    • M
                                      marchand.guy @Maltz
                                      last edited by

                                      @Maltz How?
                                      No change on pfsense.

                                      M 1 Reply Last reply Reply Quote 0
                                      • M
                                        Maltz @marchand.guy
                                        last edited by Maltz

                                        @marchand-guy I manually made the change to the shell script that BBcan177 described.

                                        M 1 Reply Last reply Reply Quote 0
                                        • S
                                          slu @BBcan177
                                          last edited by

                                          @BBcan177 so next step is a new package for pfSense?

                                          pfSense Gold subscription

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            marchand.guy @Maltz
                                            last edited by

                                            @Maltz said in New pfblockerNG install Database Sanity check Failed:

                                            @marchand-guy I manually made the change to the shell script that BBcan177 described.

                                            Ok, done as well.
                                            Thanks

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.