Bad pf NAT rule after upgrade to latest snapshot

  • After upgrading to the latest snapshot, the filter rules refuse to load due to an error:


    There were error(s) loading the rules: /tmp/rules.debug:109: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [109]: nat on gif0 inet from …0/ to any -> () ...

    The bad rule from line 109 of /tmp/rules.debug:

    nat on gif0 inet from …0/ to any -> ()

    I am not a pf expert, but this rule looks bad. gif0 is an IPv6 tunnel, and no NAT rules should be applied to it anyway. Any help how to fix/debug this further?


  • Rebel Alliance Developer Netgate

    What snapshot did you come from? And upgrade to?

    There haven't been any commits to that would change NAT rules in a while that I see. The last few were relevant to CARP only as well, before that it had been over a month before any changes.

    That rule does look bad though. Are you sure nothing else in your config changed?  Are you on manual or automatic outbound NAT?

  • I am coming from

    2.1-BETA0 (amd64)
    built on Wed Jul 18 10:20:50 EDT 2012
    FreeBSD 8.3-RELEASE-p4

    yup. It has been a while.

    Manual outbound NAT rules. I got 4. Two relate to my (only) WAN interface, the two others to OpenVPN connections (one each).

    I reverted to the backup of the release above, and all is back to normal (as long as I don't upgrade).

  • your post made me look at the diff for the last update to (the CARP related one), and indeed, it appears to cause the problem.

    The lines:

    if ($int != false and $int != $wan_interface) {
    3169 3168
    $ipnet = convert_ip_to_network_format($ip, $carp['netmask']);
    3170 3169
    3171 3170
    $lines .= "nat on {$int} inet from {$ipnet} to any -> ({$carp_int}) \n";

    I changed "if($int)" to "if($int!='gif0')" and the error goes away. Now I realize this is an ugly hack, but I think it proves that there is an issue here. Will file a bug report.

Log in to reply