Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bad pf NAT rule after upgrade to latest snapshot

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      packetslinger
      last edited by

      After upgrading to the latest snapshot, the filter rules refuse to load due to an error:

      –--


      There were error(s) loading the rules: /tmp/rules.debug:109: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [109]: nat on gif0 inet from …0/ to any -> () ...


      The bad rule from line 109 of /tmp/rules.debug:

      nat on gif0 inet from …0/ to any -> ()

      I am not a pf expert, but this rule looks bad. gif0 is an IPv6 tunnel, and no NAT rules should be applied to it anyway. Any help how to fix/debug this further?

      thx

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        What snapshot did you come from? And upgrade to?

        There haven't been any commits to filter.inc that would change NAT rules in a while that I see. The last few were relevant to CARP only as well, before that it had been over a month before any changes.

        That rule does look bad though. Are you sure nothing else in your config changed?  Are you on manual or automatic outbound NAT?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • P
          packetslinger
          last edited by

          I am coming from

          2.1-BETA0 (amd64)
          built on Wed Jul 18 10:20:50 EDT 2012
          FreeBSD 8.3-RELEASE-p4

          yup. It has been a while.

          Manual outbound NAT rules. I got 4. Two relate to my (only) WAN interface, the two others to OpenVPN connections (one each).

          I reverted to the backup of the release above, and all is back to normal (as long as I don't upgrade).

          1 Reply Last reply Reply Quote 0
          • P
            packetslinger
            last edited by

            your post made me look at the diff for the last update to filter.inc (the CARP related one), and indeed, it appears to cause the problem.

            The lines:

            if ($int != false and $int != $wan_interface) {
            3169 3168
            $ipnet = convert_ip_to_network_format($ip, $carp['netmask']);
            3170 3169
            if($int)
            3171 3170
            $lines .= "nat on {$int} inet from {$ipnet} to any -> ({$carp_int}) \n";

            I changed "if($int)" to "if($int!='gif0')" and the error goes away. Now I realize this is an ugly hack, but I think it proves that there is an issue here. Will file a bug report.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.