Bad pf NAT rule after upgrade to latest snapshot
-
After upgrading to the latest snapshot, the filter rules refuse to load due to an error:
–--
There were error(s) loading the rules: /tmp/rules.debug:109: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [109]: nat on gif0 inet from …0/ to any -> () ...
The bad rule from line 109 of /tmp/rules.debug:
nat on gif0 inet from …0/ to any -> ()
I am not a pf expert, but this rule looks bad. gif0 is an IPv6 tunnel, and no NAT rules should be applied to it anyway. Any help how to fix/debug this further?
thx
-
What snapshot did you come from? And upgrade to?
There haven't been any commits to filter.inc that would change NAT rules in a while that I see. The last few were relevant to CARP only as well, before that it had been over a month before any changes.
That rule does look bad though. Are you sure nothing else in your config changed? Are you on manual or automatic outbound NAT?
-
I am coming from
2.1-BETA0 (amd64)
built on Wed Jul 18 10:20:50 EDT 2012
FreeBSD 8.3-RELEASE-p4yup. It has been a while.
Manual outbound NAT rules. I got 4. Two relate to my (only) WAN interface, the two others to OpenVPN connections (one each).
I reverted to the backup of the release above, and all is back to normal (as long as I don't upgrade).
-
your post made me look at the diff for the last update to filter.inc (the CARP related one), and indeed, it appears to cause the problem.
The lines:
if ($int != false and $int != $wan_interface) {
3169 3168
$ipnet = convert_ip_to_network_format($ip, $carp['netmask']);
3170 3169
if($int)
3171 3170
$lines .= "nat on {$int} inet from {$ipnet} to any -> ({$carp_int}) \n";I changed "if($int)" to "if($int!='gif0')" and the error goes away. Now I realize this is an ugly hack, but I think it proves that there is an issue here. Will file a bug report.
