Bad pf NAT rule after upgrade to latest snapshot



  • After upgrading to the latest snapshot, the filter rules refuse to load due to an error:

    –--


    There were error(s) loading the rules: /tmp/rules.debug:109: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [109]: nat on gif0 inet from …0/ to any -> () ...


    The bad rule from line 109 of /tmp/rules.debug:

    nat on gif0 inet from …0/ to any -> ()

    I am not a pf expert, but this rule looks bad. gif0 is an IPv6 tunnel, and no NAT rules should be applied to it anyway. Any help how to fix/debug this further?

    thx


  • Rebel Alliance Developer Netgate

    What snapshot did you come from? And upgrade to?

    There haven't been any commits to filter.inc that would change NAT rules in a while that I see. The last few were relevant to CARP only as well, before that it had been over a month before any changes.

    That rule does look bad though. Are you sure nothing else in your config changed?  Are you on manual or automatic outbound NAT?



  • I am coming from

    2.1-BETA0 (amd64)
    built on Wed Jul 18 10:20:50 EDT 2012
    FreeBSD 8.3-RELEASE-p4

    yup. It has been a while.

    Manual outbound NAT rules. I got 4. Two relate to my (only) WAN interface, the two others to OpenVPN connections (one each).

    I reverted to the backup of the release above, and all is back to normal (as long as I don't upgrade).



  • your post made me look at the diff for the last update to filter.inc (the CARP related one), and indeed, it appears to cause the problem.

    The lines:

    if ($int != false and $int != $wan_interface) {
    3169 3168
    $ipnet = convert_ip_to_network_format($ip, $carp['netmask']);
    3170 3169
    if($int)
    3171 3170
    $lines .= "nat on {$int} inet from {$ipnet} to any -> ({$carp_int}) \n";

    I changed "if($int)" to "if($int!='gif0')" and the error goes away. Now I realize this is an ugly hack, but I think it proves that there is an issue here. Will file a bug report.


Locked