Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New pfblockerNG install Database Sanity check Failed

    Scheduled Pinned Locked Moved pfBlockerNG
    39 Posts 11 Posters 4.4k Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tinfoilmattT Offline
      tinfoilmatt @marchand.guy
      last edited by

      @marchand-guy Did you compare your pfblocker.sh to the appropriate branch version?

      What version of pfSense? What version of pfBlockerNG/-devel?

      M 1 Reply Last reply Reply Quote 0
      • M Offline
        marchand.guy @tinfoilmatt
        last edited by

        @tinfoilmatt
        2.8.0-RELEASE (amd64)
        built on Wed May 21 19:12:00 EDT 2025
        FreeBSD 15.0-CURRENT

        The system is on the latest version.
        Version information updated at Sat May 31 15:09:52 EDT

        pfBlockerNG net 3.2.8
        (yes I tried the -devel version prior to this one. no difference)

        1 Reply Last reply Reply Quote 0
        • M Offline
          Maltz
          last edited by Maltz

          I'm seeing the same off-by-one error on my system. I'm running the same versions as marchand.guy.

          What is the impact of this error? Does it prevent any functionality?

          1 Reply Last reply Reply Quote 0
          • M Offline
            madmaxpr
            last edited by

            @SteveITS Still seeing this error myself but have no further info. It does seem to function, just with the error being shown when it updates/reloads.

            1 Reply Last reply Reply Quote 0
            • T Offline
              TheXman
              last edited by TheXman

              I was experiencing the same issue too.

              After comparing /usr/local/pkg/pfblockerng/pfblockerng.sh from 3.2.0 to 3.2.8, there was only 1 line that changed and it happened to be related to this issue. After reverting that line (#1281) back to the way it was in 3.2.0, the "Sanity Check" works as expected.

              Here are the lines as they exist in their respective versions.

              #Line 1281 in 3.2.0
              if [ "${s1} == ${s2}" ]; then
              
              #Line 1281 in 3.2.8
              if [ "${s1}" == "${s2}" ]; then
              

              Edit: Corrected my references to pfBlockerNG version numbers. Thanks @Maltz

              M 1 Reply Last reply Reply Quote 1
              • M Offline
                Maltz @TheXman
                last edited by Maltz

                @TheXman Wouldn't the 2.7.2 version always evaluate as true, since the string is non-null? It looks like the sanity check was fixed in 2.8.0, exposing some other issue that may have been there all along but was hidden by the broken sanity check.

                (Edit: I guess the version numbers should be 3.2.0_8 and 3.2.8, respectively, since we're talking about pfBlockerNG and not pfSense itself.)

                M 1 Reply Last reply Reply Quote 1
                • M Offline
                  marchand.guy @Maltz
                  last edited by

                  @Maltz That is an excellent hypothesis!

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    marchand.guy @marchand.guy
                    last edited by marchand.guy

                    @marchand-guy Verified hypothesis. The code always reported true before 3.2.8.
                    Good catch

                    1 Reply Last reply Reply Quote 0
                    • tinfoilmattT Offline
                      tinfoilmatt
                      last edited by

                      Looks like dev (@BBcan177) is already reviewing. Good teamwork, y'all.

                      Responsible commit here. Remark indicates it was a cleanup commit. I don't have the coding skills to say for sure, but this pfblocker.php update and this pfblocker_alerts.php update look odd for some reason, in addition to whatever the pfblockerng.sh L1281 fix exposed.

                      @marcosm

                      BBcan177B 1 Reply Last reply Reply Quote 0
                      • BBcan177B Offline
                        BBcan177 Moderator @tinfoilmatt
                        last edited by

                        I think I found the last issue. The "masterfile" is a list of Filename/IPs. The "mastercat" file is just the IPs only. So it was trying to grep -v (exclude) any lines that start with the placeholder IP. So we need to change the masterfile to the mastercat in this line.

                        Try to change this line from:

                        From:
                        s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})"

                        To:
                        s1="$(grep -cv ^${ip_placeholder2}$ ${mastercat})"

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        T M S 3 Replies Last reply Reply Quote 4
                        • T Offline
                          TheXman @BBcan177
                          last edited by

                          @BBcan177 Thank you!

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            Maltz @BBcan177
                            last edited by

                            @BBcan177 Success!

                            Database Sanity check [ PASSED ]

                            M 1 Reply Last reply Reply Quote 0
                            • M Offline
                              marchand.guy @Maltz
                              last edited by

                              @Maltz How?
                              No change on pfsense.

                              M 1 Reply Last reply Reply Quote 0
                              • M Offline
                                Maltz @marchand.guy
                                last edited by Maltz

                                @marchand-guy I manually made the change to the shell script that BBcan177 described.

                                M 1 Reply Last reply Reply Quote 0
                                • S Offline
                                  slu @BBcan177
                                  last edited by

                                  @BBcan177 so next step is a new package for pfSense?

                                  pfSense Gold subscription

                                  1 Reply Last reply Reply Quote 0
                                  • M Offline
                                    marchand.guy @Maltz
                                    last edited by

                                    @Maltz said in New pfblockerNG install Database Sanity check Failed:

                                    @marchand-guy I manually made the change to the shell script that BBcan177 described.

                                    Ok, done as well.
                                    Thanks

                                    M 1 Reply Last reply Reply Quote 0
                                    • tinfoilmattT Offline
                                      tinfoilmatt
                                      last edited by tinfoilmatt

                                      Thanks, @BBcan177.

                                      Some clear confusion ITT re pfSense system version and pfBlockerNG package version numbers. For posterity:

                                      pfSense 2.7.2 CE - Database Sanity check issue not present, because pfBlockerNG and pfBlockerNG-devel packages are both on "RELENG_2_7_2" branch of pfSense / FreeBSD-Ports

                                      pfSense 2.8 CE - Database Sanity check regression, possibly because branch updated to "devel" for both packages?

                                      (RELENG_2_7_2 branch: pfBlockerNG/pfBlockerNG-devel)
                                      (devel branch: pfBlockerNG/pfBlockerNG-devel)

                                      I think that's what's happened. Maybe someone can give me a sanity check. 😜

                                      The package version numbers appear to have been realigned in pfSense 2.8 CE however. The last package versions of pfBlockerNG and pfBockerNG-devel on pfSense 2.7.2 CE were 3.2.8 and 3.2.0_20 respectively.

                                      But under 2.8 CE, both packages are now currently on version 3.2.8 (pfBlockerNG and pfBlockerNG-devel).

                                      Will both packages continue to be maintained separately and we should expect version numbers to potentially diverge again?

                                      M 1 Reply Last reply Reply Quote 1
                                      • M Offline
                                        madmaxpr @tinfoilmatt
                                        last edited by

                                        @tinfoilmatt Is there a fix or patch being published for this? Still waiting.

                                        tinfoilmattT 1 Reply Last reply Reply Quote 0
                                        • tinfoilmattT Offline
                                          tinfoilmatt @madmaxpr
                                          last edited by

                                          @madmaxpr I'm sure there will be, but @BBcan177's manual patch can be applied in the meantime.

                                          File to edit is /usr/local/pkg/pfblockerng/pfblockerng.sh, Line 1232 on my 2.8 CE/package version 3.2.8 system.

                                          1 Reply Last reply Reply Quote 1
                                          • M Offline
                                            Maltz @marchand.guy
                                            last edited by

                                            @tinfoilmatt There are a few things that are not quite right in there... but the short version is that this has always been broken, it seems, but the check doesn't actually do anything apart from display the alert anyway.

                                            In pfSense 2.7.2, pfBlockerNG and devel were at versions 3.2.0_8 and 3.2.0_20, respectively. In pfSense 2.8.0, they are both at v3.2.8.

                                            Note that 3.2.0_8 ≠ 3.2.8

                                            Versions 3.2.0_8 (and 3.2.0_20?) had two issues with the Database Sanity check. The first one broke the check entirely and it always showed PASSED no matter what. The second one was that the check was checking against "masterfile" instead of "mastercat"

                                            The first problem was fixed in v3.2.8, which exposed the second problem. The second problem is fixed by the change BBcan177 described above.

                                            And for those worrying about a patch - Since BBcan177 created the fix himself, I assume it'll be fixed in the next release. Also, this issue is strictly cosmetic, so there's not an urgent need for a new release to fix it. But if your OCD can't let it go (and I can relate lol) then just apply BBcan177's fix manually while we wait.

                                            tinfoilmattT 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.