New pfblockerNG install Database Sanity check Failed

marchand.guy

@BBcan177 I am not a programmer. But a simple "sort -u" of the deny files entries bring them back to 81362. Just saying...

tinfoilmatt

@marchand-guy Did you compare your pfblocker.sh to the appropriate branch version?

What version of pfSense? What version of pfBlockerNG/-devel?

marchand.guy

@tinfoilmatt
2.8.0-RELEASE (amd64)
built on Wed May 21 19:12:00 EDT 2025
FreeBSD 15.0-CURRENT

The system is on the latest version.
Version information updated at Sat May 31 15:09:52 EDT

pfBlockerNG net 3.2.8
(yes I tried the -devel version prior to this one. no difference)

Maltz

I'm seeing the same off-by-one error on my system. I'm running the same versions as marchand.guy.

What is the impact of this error? Does it prevent any functionality?

madmaxpr

@SteveITS Still seeing this error myself but have no further info. It does seem to function, just with the error being shown when it updates/reloads.

TheXman

I was experiencing the same issue too.

After comparing /usr/local/pkg/pfblockerng/pfblockerng.sh from 3.2.0 to 3.2.8, there was only 1 line that changed and it happened to be related to this issue. After reverting that line (#1281) back to the way it was in 3.2.0, the "Sanity Check" works as expected.

Here are the lines as they exist in their respective versions.

#Line 1281 in 3.2.0
if [ "${s1} == ${s2}" ]; then

#Line 1281 in 3.2.8
if [ "${s1}" == "${s2}" ]; then

Edit: Corrected my references to pfBlockerNG version numbers. Thanks @Maltz

Maltz

@TheXman Wouldn't the 2.7.2 version always evaluate as true, since the string is non-null? It looks like the sanity check was fixed in 2.8.0, exposing some other issue that may have been there all along but was hidden by the broken sanity check.

(Edit: I guess the version numbers should be 3.2.0_8 and 3.2.8, respectively, since we're talking about pfBlockerNG and not pfSense itself.)

marchand.guy

@Maltz That is an excellent hypothesis!

marchand.guy

@marchand-guy Verified hypothesis. The code always reported true before 3.2.8.
Good catch

tinfoilmatt

Looks like dev (@BBcan177) is already reviewing. Good teamwork, y'all.

Responsible commit here. Remark indicates it was a cleanup commit. I don't have the coding skills to say for sure, but this pfblocker.php update and this pfblocker_alerts.php update look odd for some reason, in addition to whatever the pfblockerng.sh L1281 fix exposed.

@marcosm

BBcan177

I think I found the last issue. The "masterfile" is a list of Filename/IPs. The "mastercat" file is just the IPs only. So it was trying to grep -v (exclude) any lines that start with the placeholder IP. So we need to change the masterfile to the mastercat in this line.

Try to change this line from:

From:
s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})"

To:
s1="$(grep -cv ^${ip_placeholder2}$ ${mastercat})"

TheXman

@BBcan177 Thank you!

Maltz

@BBcan177 Success!

Database Sanity check [ PASSED ]

marchand.guy

@Maltz How?
No change on pfsense.

Maltz

@marchand-guy I manually made the change to the shell script that BBcan177 described.

slu

@BBcan177 so next step is a new package for pfSense?

marchand.guy

@Maltz said in New pfblockerNG install Database Sanity check Failed:

@marchand-guy I manually made the change to the shell script that BBcan177 described.

Ok, done as well.
Thanks

tinfoilmatt

Thanks, @BBcan177.

Some clear confusion ITT re pfSense system version and pfBlockerNG package version numbers. For posterity:

pfSense 2.7.2 CE - Database Sanity check issue not present, because pfBlockerNG and pfBlockerNG-devel packages are both on "RELENG_2_7_2" branch of pfSense / FreeBSD-Ports

pfSense 2.8 CE - Database Sanity check regression, possibly because branch updated to "devel" for both packages?

(RELENG_2_7_2 branch: pfBlockerNG/pfBlockerNG-devel)
(devel branch: pfBlockerNG/pfBlockerNG-devel)

I think that's what's happened. Maybe someone can give me a sanity check.

The package version numbers appear to have been realigned in pfSense 2.8 CE however. The last package versions of pfBlockerNG and pfBockerNG-devel on pfSense 2.7.2 CE were 3.2.8 and 3.2.0_20 respectively.

But under 2.8 CE, both packages are now currently on version 3.2.8 (pfBlockerNG and pfBlockerNG-devel).

Will both packages continue to be maintained separately and we should expect version numbers to potentially diverge again?