error(s) loading the rules: interface name too long
-
I wanted to simplify my rules across multiple vlans by having a floating rule that allows access to an interface group, which is a list of all the vlans that should have access.
I now get the following error as a notice
There were error(s) loading the rules: /tmp/rules.debug:123: interface name too long - The line in question reads [123]: rdr pass on { igb4 igb2 igb2.10 igb2.20 igb2.30 igb2.40 igb2.42 igb2.44 igb2.50 bridge0 igb2.70 openvpn IOTBRIDGEGroup outbound_interne pfblocker_groups internal_lans } proto tcp from any to 10.10.10.1 port 80 -> 127.0.0.1 port 8081 @ 2020-09-01 18:00:28
It seems like a bug because i'm hitting a limit that the GUI doesn't prevent?
pfctl -f /tmp/rules.debug /tmp/rules.debug:123: interface name too long /tmp/rules.debug:126: interface name too long pfctl: Syntax error in config file: pf rules not loaded [2.4.5-RELEASE][root@fw.meemsbox.com]/tmp: head -123 /tmp/rules.debug | tail -1 rdr pass on { igb4 igb2 igb2.10 igb2.20 igb2.30 igb2.40 igb2.42 igb2.44 igb2.50 bridge0 igb2.70 openvpn IOTBRIDGEGroup outbound_net pfblocker_groups internal_lans } proto tcp from any to 10.10.10.1 port 80 -> 127.0.0.1 port 8081 [2.4.5-RELEASE][root@fw.meemsbox.com]/tmp: head -126 /tmp/rules.debug | tail -1 rdr pass on { igb4 igb2 igb2.10 igb2.20 igb2.30 igb2.40 igb2.42 igb2.44 igb2.50 bridge0 igb2.70 openvpn IOTBRIDGEGroup outbound_net pfblocker_groups internal_lans } proto tcp from any to 10.10.10.1 port 443 -> 127.0.0.1 port 8443
I reduced most of the line errors by shortening the name of my interface group, but it didn't resolve the issue for these 2 lines (both PFBlockerNG). It's not clear what I should change to fix it?
Thanks for help.
-
it's a bug.
group names must be max 15 character[2.4.5-RELEASE][root@pfSense.trmultiservice.lab]/root: pfctl -f /tmp/rules.debug /tmp/rules.debug:263: interface name too long pfctl: Syntax error in config file: pf rules not loaded
pass in quick on $GROUPTEST123456A inet proto tcp from any to any tracker 1599036505 flags S/SA keep state label "USER_RULE"
but it work with
GROUPTEST12345Arename all your group interfaces to something with 15 or less character "pfblocker_groups" -> "pfblocker_group"
it was already fixed here
https://redmine.pfsense.org/issues/10835