error(s) loading the rules: interface name too long



  • I wanted to simplify my rules across multiple vlans by having a floating rule that allows access to an interface group, which is a list of all the vlans that should have access.

    I now get the following error as a notice

    There were error(s) loading the rules: /tmp/rules.debug:123: interface name too long - The line in question reads [123]: rdr pass on { igb4 igb2 igb2.10 igb2.20 igb2.30 igb2.40 igb2.42 igb2.44 igb2.50 bridge0 igb2.70 openvpn IOTBRIDGEGroup outbound_interne pfblocker_groups internal_lans } proto tcp from any to 10.10.10.1 port 80 -> 127.0.0.1 port 8081
    @ 2020-09-01 18:00:28
    

    It seems like a bug because i'm hitting a limit that the GUI doesn't prevent?

     pfctl -f /tmp/rules.debug
    /tmp/rules.debug:123: interface name too long
    /tmp/rules.debug:126: interface name too long
    pfctl: Syntax error in config file: pf rules not loaded
    
    [2.4.5-RELEASE][root@fw.meemsbox.com]/tmp: head -123 /tmp/rules.debug | tail -1
    rdr pass on { igb4 igb2 igb2.10 igb2.20 igb2.30 igb2.40 igb2.42 igb2.44 igb2.50 bridge0 igb2.70 openvpn IOTBRIDGEGroup outbound_net pfblocker_groups internal_lans } proto tcp from any to 10.10.10.1 port 80 -> 127.0.0.1 port 8081
    
    [2.4.5-RELEASE][root@fw.meemsbox.com]/tmp: head -126 /tmp/rules.debug | tail -1
    rdr pass on { igb4 igb2 igb2.10 igb2.20 igb2.30 igb2.40 igb2.42 igb2.44 igb2.50 bridge0 igb2.70 openvpn IOTBRIDGEGroup outbound_net pfblocker_groups internal_lans } proto tcp from any to 10.10.10.1 port 443 -> 127.0.0.1 port 8443
    
    

    I reduced most of the line errors by shortening the name of my interface group, but it didn't resolve the issue for these 2 lines (both PFBlockerNG). It's not clear what I should change to fix it?

    Thanks for help.


  • LAYER 8

    it's a bug.
    group names must be max 15 character

    [2.4.5-RELEASE][root@pfSense.trmultiservice.lab]/root: pfctl -f /tmp/rules.debug
    /tmp/rules.debug:263: interface name too long
    pfctl: Syntax error in config file: pf rules not loaded
    

    pass in quick on $GROUPTEST123456A inet proto tcp from any to any tracker 1599036505 flags S/SA keep state label "USER_RULE"

    but it work with
    GROUPTEST12345A

    rename all your group interfaces to something with 15 or less character "pfblocker_groups" -> "pfblocker_group"

    it was already fixed here
    https://redmine.pfsense.org/issues/10835


Log in to reply