Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Purpose of tracker on pfsense config rules

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ltctech
      last edited by

      Hi,

      I sometimes manually edit pfsense xml config files directly as it is much quicker than doing so via GUI. I noticed that new config file rules have something called tracker, which is essentially a unix time stamp. Where is this used, does it have to be unique, does it determine rule order?

      The nat rules have something called associated-rule-id which is just a php uniqid and it has to match the associated the rules, so it's obvious what that does.

      Thanks,
      LTCtech

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        It's put into the ruleset for log identification purposes. Only the rule number as configured in the running ruleset was logged by pf previously, and that isn't a static number. So if you made significant enough changes to your rules and/or NAT, then go to the firewall log, it'd tell you the wrong rule or be unable to find a matching rule.

        Check the code in /etc/inc/filter.inc to ensure you're properly generating that for rules. There's a function there you could use or adapt.

        1 Reply Last reply Reply Quote 0
        • J
          jossef
          last edited by

          according to https://docs.netgate.com/pfsense/en/latest/monitoring/raw-filter-log-format.html#bnf-grammar

          the purpose of the tracker id is

          <tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug

          I've written this script to fix my rules and make the tracker id numbers unique

          
import xml.etree.ElementTree as ET

ONE_SECOND = 1


def main():
    start_epoch = 1585650686
    root_element = ET.fromstring(XML_DATA)
    rule_elements = root_element.findall('rule')
    for rule_index, rule_element in enumerate(rule_elements):
        rule_id = str(start_epoch + (rule_index * ONE_SECOND))

        tracker_element = rule_element.find('tracker')
        tracker_element.text = rule_id

        created_time_element = rule_element.find('created').find('time')
        created_time_element.text = rule_id

        updated_time_element = rule_element.find('updated').find('time')
        updated_time_element.text = rule_id

    fixed_xml = ET.tostring(root_element, encoding='unicode')

    with open('fixed-firewall-rules.xml', 'w+') as f:
        f.write(fixed_xml)


XML_DATA = '''
<filter>
     <rule>
     ... // copy and paste the exported rules here
</filter>
'''

if __name__ == '__main__':
    main()
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.