PF match not working post-upgrade.
-
I had been running on a previous beta release for a while now and decided to get around to upgrading this evening.
I have a relatively simple setup and have never had any real issues running the beta releases before, so I went from pfSense 2.5.0.a.20200902.0650 -> 2.6.0.a.20210222.0100.All of the packages appeared to upgrade just fine, however after the reboot I had no Internet access.
After some troubleshooting, I found the pf rules weren't loading.
The error in the logs/alerts only said: "There were error(s) loading the rules: pfctl: Invalid rule type 12 - The line in question reads [0]: "After some more trial and error, I determined that pfctl wasn't recognizing the "match" keyword. After removing those lines from /tmp/rules.debug, I was able to load them manually. I had a handful of rules to match on some IPs/ports and to put them in queues or route out a VPN interface.
Any ideas on why that keyword wouldn't be recognized?
-
You didn't go to 2.5.0 release... you went to the next development branch for 2.6.
I would recommend you download 2.5 and do a fresh install and then restore your backup config.
There is literally zero point in testing on 2.6 right now. -
-
This post is deleted! -
@jcrilly I started seeing this error on my installation after upgrading from the previous nightly build to the ,0100 build. I have traffic shaper rules and lots of gateway rules (I live in the country and work from home so my WAN consists of 3 LTE modems and 2 satellite connections). I also have schedule rules set to favor LTE during the workday, the satellite at night, which has been working better than ever up until last night. After the update was installed, all WAN traffic failed to the LAN side, but I could ssh to the server and connect externally from there.
It was after that that I noticed the error icon on the top:
Filter Reload
There were error(s) loading the rules: pfctl: Invalid rule type 12 - The line in question reads [0]: @ 2021-02-24 14:22:05I'll try to edit te same file and see if I get similar results, but so far I've found that it appears to be related to the traffic shaper. If I disable all of the rules, the error stops, but then network quality suffers in a configuration like mine.
Do you have any traffic shaper rules configured, and if so, could you try setting each to disabled in the Firewall Rules -> Floating section? I tried disabling them in the Limiters section, but that didn't disable the rules, so it appears that there is a change in that area that is causing issues.
-
@crcagle It was definitely caused by the match statements for the traffic shaper as well as a bit of match rules I had to route specific traffic out a VPN connection vs the default gateway.
I was able to get up and running without those features by comment out the match statements from /tmp/rules.debug and loading the file manually with 'pfctl -f /tmp/rules.debug'.I had the auto-config backup service running for a while and it still had a few configs from before the upgrade, so I just reinstalled 5.0-release, reapplied my config, reinstalled my packages and it was back to working as normal again.
PF is pretty low level, so I'm not sure if something got left out of the kernel builds in 2.6 or if it was a big feature change in PF and the web UI hasn't been updated with the new keywords yet.