Error - "There were error(s) loading the rules"
-
Since the upgrade of pfBlockerNG from v2 to v3 with pfsense version 2.6.0 (the problem exists also after an upgrade to 2.7.0), we detect frequently following error messages:
There were error(s) loading the rules: /tmp/rules.debug:51: cannot load "/var/db/aliastables/pfB_Top_v4.txt": Invalid argument - The line in question reads [51]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
@ 2023-07-13 15:45:20In most cases the error appears while a filter reload (updating a firewall rule) or after a reboot.
As a result changes are not loaded or after reboot the NAT rules are not loaded.This problem ist very similar to following posts:
- https://forum.netgate.com/topic/118293/2-3-4-p1-breaks-pfblockerng
- https://forum.netgate.com/topic/128402/error-there-were-error-s-loading-the-rules
The temporary solution is to disable and re enable pfBlocker.
After some hours/days the error appears again or directly after firewall changes.Reinstalling pfBlocker did not fix the problem.
Could it be something like a race condition, when the cron runs and a filter reload is triggered?
CRON PROCESS START [ v3.2.0_5 ] [ 07/13/23 15:45:00 ]
[ custom_blocklist_v4 ]
( md5 feed ) . 200 OK
( md5 changed ) Update found
UPDATE PROCESS START [ v3.2.0_5 ] [ 07/13/23 15:45:01 ]===[ DNSBL Process ]================================================
===[ GeoIP Process ]============================================
[ pfB_Top_v4 ] exists.
[ pfB_Europe_v4 ] exists.
[ pfB_NAmerica_v4 ] exists.===[ IPv4 Process ]=================================================
[ custom_blocklist_v4 ] Downloading update . ( md5 feed ) . completed ..
Reputation (Max=5) - Range(s)
87.xxx.xxx.|Reputation -Max Stats
Blacklisted Match
Ranges IPs Ranges IPs1 6 0 0
===[ Aliastables / Rules ]==========================================
No changes to Firewall rules, skipping Filter Reload
Updating: pfB_custom_blocklist_v4
1 addresses deleted.===[ Kill States ]==================================================
No matching states found
======================================================================
UPDATE PROCESS ENDED
-
@revilzs said in Error - "There were error(s) loading the rules":
Since the upgrade of pfBlockerNG from v2 to v3
This version :
?
(also available without -devel )@revilzs said in Error - "There were error(s) loading the rules":
persist file "/var/db/aliastables/pfB_Top_v4.txt"
Did you have a look at this file ? ( why not ? )
How many lines (== entries) does it have ?The best solution is : using pfBlocker feeds there are less big.
What feeds did you use ?Example : these :
and already 25 % of my 4 Gbytes is used.
Look at the start of /tmp/rules.debug, you'll find :
... set limit table-entries 400000 ...which means : creating pg (firewall) tables which are bigger then that number (entries) will make the system not happy.
You can set this number here : System > Advanced > Firewall & NATAlso : do a Firewall > pfBlocker > NGUpdate :: Reload :: All
Everything goes well ?
You'll see what and how much is loaded.Also : go here Status > Monitoring and check System > Memory usage.
-
@Gertjan thank you for the fast reply!
pfBlockerNG 3.2.0_5 without -devel:
But we had the problem also with a previous version for example v3.2.0_3
Yes, I looked at that file. It looks ok and has valid IP net entries:
[...]
217.67.76.0/23
217.67.78.0/23
217.147.172.0/24Lines: 28352
We are using one custom IPv4 feed and GeoIPv4. With disabled GeoIP Aliases everything works fine:
Alias table IP Counts
112026 total
83220 /var/db/aliastables/pfB_NAmerica_v4.txt
28352 /var/db/aliastables/pfB_Top_v4.txt
347 /var/db/aliastables/pfB_Europe_v4.txt
107 /var/db/aliastables/pfB_custom_blocklist.txtpfSense Table Stats
table-entries hard limit 400000
Table Usage Count 112170"Also : do a Firewall > pfBlocker > NGUpdate :: Reload :: All"
Everything goes well ? -> Yes, but also "No changes to Firewall rules, skipping Filter Reload""Also : go here Status > Monitoring and check System > Memory usage."
13% of 4038 MiB -
@revilzs Set the max table entries to 2 million. Long ago I read that was the minimum recommended for pfBlocker.
After updates, restores, or especially uninstalling/reinstalling pfB I've had to run an Update in pfBlocker so it regenerates the files.
-
@SteveITS thank you for that hint.
I increased the Firewall Maximum Table Entries from 400.000 to 800.000. To reduce the overall entries, I enabled De-Duplication and CIDR Aggregation.
Since yesterday evening the errors did not occur again. I will continue to monitor the systems.
-
@revilzs It has to at least be big enough to hold the data. Extra space won't hurt.
enabled De-Duplication
One note on this...if you use pfBlocker to create overlapping deny rules the deduplication works across rules, so may remove an entry from additional rules. If that's the case for you, disable it, or use Alias Native and create your own rules.