There were errors loading rules (Solved and Patched)

Visseroth · Feb 16, 2022, 1:55 AM

I didn't start getting this error until I enabled PfBlocker so it's assumed it's related, but you know what happens when you assume.
None the less I thought I'd post it here and ask so I can get the error resolved.
I was running 2.5 but just updated to 2.6 and I thought this error was a bug and would get fixed but it persists so I figure it's got to be a configuration somewhere I'm missing.
Any help is appreciated.

The error I'm getting is...

18:47:07 There were error(s) loading the rules: /tmp/rules.debug:155: could not parse host specification - The line in question reads [155]: rdr pass on ix0 inet6 proto tcp from any to ::192168421 port 80 -> ::1 port 8081

18:48:00 There were error(s) loading the rules: /tmp/rules.debug:155: could not parse host specification - The line in question reads [155]: rdr pass on ix0 inet6 proto tcp from any to ::192168421 port 80 -> ::1 port 8081

I assume it's a port conflict with 8081.
Any ideas where to look and/or how to solve this?
The error is blowing my email up now, I used to get it once a day or when PfBlocker updates were done.

viktor_g · Feb 15, 2022, 7:13 AM

This is a know issue: https://redmine.pfsense.org/issues/12440

You can install the System Patches pkg: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

and apply this patch: 469.diff

Visseroth · Feb 15, 2022, 9:40 AM

@viktor_g
Thank you for the reply and please forgive my ignorance.
I've never had to apply a patch and I'm not sure what all these field are supposed to contain but it gives me the error, "The uploaded file must be in unified diff format"

Gertjan · Feb 15, 2022, 9:47 AM

@visseroth

You're nearly there.

Put in place a Description. This could be anything, like :

https://redmine.pfsense.org/issues/12440 2.6.0 20220215

Leave the "URL/Commit ID" empty (as you already have the patch).

Paste in the patch.

diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc
index e45d5ffc6b7e2dd6b7df7077872b63f24e69d13f..40a4852cf49f3cdf64415f89dc94290345f09a7a 100644
--- a/src/etc/inc/pfsense-utils.inc
+++ b/src/etc/inc/pfsense-utils.inc
@@ -3196,6 +3196,15 @@ function calculate_ipv6_delegation_length($if) {
 function merge_ipv6_delegated_prefix($prefix, $suffix, $len = 64) {
 	$prefix = Net_IPv6::uncompress($prefix, true);
 	$suffix = Net_IPv6::uncompress($suffix, true);
+	/* convert zero-value prefix IPv6 addresses with IPv4 mapping to hex
+	 * see https://redmine.pfsense.org/issues/12440 */
+	$suffix_list = explode(':', $suffix);
+	if (is_ipaddrv4($suffix_list[count($suffix_list) - 1])) {
+		$hexsuffix = dechex(ip2long($suffix_list[count($suffix_list) - 1]));
+		$suffix_list[count($suffix_list) - 2] = substr($hexsuffix, 0, 4);
+		$suffix_list[count($suffix_list) - 1] = substr($hexsuffix, 4, 8);
+		$suffix = implode(':', $suffix_list);
+	}	
 
 	/*
 	 * xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

(don't copy this one, use the diff from "the source" == what @viktor_g showed above).

Save.

Do a Test and if it shows :

you can Apply it.

Visseroth · Feb 15, 2022, 1:20 PM

@gertjan Thanks!
I guess I didn't realize I needed to open the file in a text editor and paste the contents in.

The patch successfully applied, new the question is, is it going to cause problems with upgrades?

viktor_g · Feb 15, 2022, 1:20 PM

@visseroth said in There were errors loading rules:

@gertjan Thanks!
I guess I didn't realize I needed to open the file in a text editor and paste the contents in.

The patch successfully applied, new the question is, is it going to cause problems with upgrades?

Does it works fine now?
It will be in the next pfSense version, don't worry.

Gertjan · Feb 15, 2022, 3:25 PM

@visseroth said in There were errors loading rules:

The patch successfully applied, new the question is, is it going to cause problems with upgrades?

It also applies to CE 2.5.2 just fine.

Your question : What happens when I upgrade to 2.6.0 (or whatever version in the future) :

You should know that the patch system runs early when pfSense boots.
You could have known that, and see that this is the case, if you have installed the pfSense StartCmd package. You should see :

which means that the patch package is executed as early as possible.

It parses all the patches you've activated. If the file(s) of a patch are already patched (applied cleanly), it does nothing.

When I decide to update from 2.5.2 to 2.6.0, pfSense core script files will get updated, which mans the will get replaced.
Upon reboot, if the file content matches the "non pachted version" - which means it could be patched = applied cleanly, it will patch == apply the modification.
If the file doesn't match, because it was modified so the patch can't be matched any more, it won't do anything. This is most probably because the new version now contains the patch.

In this case : an issue existed in 2.5.2 and it still exist in 2.6.0 (the file with the 'bug' is still the same). The (only) file(s) to be patched is the same so this patch, right now, when I reboot the first time using 2.6.0, the patch will get auto applied right away. As it is applied now, using the 2.5.2 set of files.
If the files were changed (newer version) during upgrade, the patch won't 'fit' and won't 'auto' apply.

This means the patch system is a "set it and forget it" solution.
You can set up a patch, and forget about it.
Days, weeks, months, years later, when you come back to check your patches, you find patches that can't "apply cleanly", and can't be "reverted cleanly". In that case, you can remove the patch as it became useless.

edit : sorry, while reading my post, it seems a bit wonky to me. I hope you can get something out of it.
The patch package is a very useful tool; I've been using it for years.
When a new version comes out, there are always some new issues. Some of them could be real show stoppers, and people thing they have to get back to the older version.
Most often, they issues will be found fast and patches will get created.

Visseroth · Feb 16, 2022, 1:55 AM

@gertjan Makes perfect sense, thank you for the clarification.
I haven't had to use any patches as of yet, I usually just work around the problem or the problem doesn't effect me so I let it be, but this was an annoying problem that required me to disable mail notifications, which means potential issues may get ignored until they are noticed.
That in itself can be a problem.

Thank you everyone for your help, greatly appreciated!