Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Syntax error I don't understand

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    6 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darkcrucible
      last edited by

      This issue seems to keep coming up for me. I've looked into it but I don't understand what is causing this error. I'm running the Oct 23rd snapshot of nanobsd i386 on an Alix board. I've had this on snapshots after Oct 14th. When it's booting up, something is killed while configuring the firewall.

      The following is from the bootup serial console:

      Creating symlinks......done.
External config loader 1.0 is now starting... ad0s3
Launching the init system... done.
Initializing............................. done.
Starting device manager (devd)...done.
Loading configuration......done.
Updating configuration...done.
Cleaning backup cache........done.
Setting up extended sysctls...done.
glxsb0: <amd geode="" lx="" security="" block="" (aes-128-cbc,="" rng)=""> mem 0xefff4000-0xefff7fff irq 9 at device 1.2 on pci0
Setting timezone...done.
Configuring loopback interface...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
Configuring loopback interface...dvr1: link state changed to DOWN
one.
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configuring WAN interface...vr1: link state changed to UP
pflog0: promiscuous mode enabled
Configuring firewall......done.
done.
Configuring LAN interface...vr0: link state changed to DOWN
done.
Syncing OpenVPN settings...tun1: changing name to 'ovpns1'
tun2: changing name to 'ovpns2'
ovpns1: link state changed to UP
done.
Starting syslog...ovpns2: link state changed to UP
done.
Configuring firewall......done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...done.
Configuring CRON...done.
Starting NTP time client...done.
Starting DHCP service...done.
Starting DHCPv6 service...done.
Starting DNS forwarder...done.
Configuring firewall...Killed
Starting CRON... done.
Killed
Bootup complete</amd>

      After bootup is complete, I get a notice from the GUI

      [ There were error(s) loading the rules: /tmp/rules.debug:173: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [173]: pass in quick on $LAN inet6 from /64 to any keep state label USER_RULE: Default allow LAN IPv6 to any rule]

      The line from the notice is as follows:

      pass  in  quick  on $LAN inet6 from 2601:9:4d80:90:0:0:0:0/64 to any keep state  label "USER_RULE: Default allow LAN IPv6 to any rule"

      The system logs only seem to have a few relevant entries:

      Oct 23 21:52:20 	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:173: syntax error pfctl: Syntax error in config file: pf rules not loaded'
Oct 23 21:52:20 	php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:173: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [173]: pass in quick on $LAN inet6 from /64 to any keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
Oct 23 21:52:20 	php: : There were error(s) loading the rules: /tmp/rules.debug:173: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [173]: pass in quick on $LAN inet6 from /64 to any keep state label "USER_RULE: Default allow LAN IPv6 to any rule"

      Any help on this would be appreciated. I don't think my setup is too complex. The only package I have installed is the OpenVPN client export. I have one site-to-site OpenVPN and another PKI road-warrior server. Plus about 19 firewall rules of which 13 are port forwards for the WAN. 3 rules for the LAN and 1 rule for OpenVPN. And 8 Outbound NAT rules. If there's any other info I should post, let me know.

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        The log extracts you posted give the rule in error as

        pass in quick on $LAN inet6 from /64 to any keep state label "USER_RULE: Default allow LAN IPv6 to any rule"

        which I expect has a syntax error in "/64" which is not an IP address/subnet.

        However you appear to claim the rule in error is

        pass  in  quick  on $LAN inet6 from 2601:9:4d80:90:0:0:0:0/64 to any keep state  label "USER_RULE: Default allow LAN IPv6 to any rule"

        which doesn't have such syntax error.

        Are these two lines close together in /tmp/rules.debug?

        1 Reply Last reply Reply Quote 0
        • D
          darkcrucible
          last edited by

          That's just the thing though. It says the syntax error is on line 173 in /tmp/rules.debug

          I open vi for /tmp/rules.debug type 173G and it says:

          pass  in  quick  on $LAN inet6 from 2601:9:4d80:90:0:0:0:0/64 to any keep state  label "USER_RULE: Default allow LAN IPv6 to any rule"

          The Rule on line 172 for example says this:

          pass  in  quick  on $LAN inet from 192.168.112.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

          It's as though it's ignoring the 2601:9:4d80:90:0:0:0:0 part. Hence my confusion.

          Also, on a side note, vi on a 9600 BAUD link is quite amusing :)

          1 Reply Last reply Reply Quote 0
          • D
            darkcrucible
            last edited by

            I'm still not sure what the deal was with the syntax error. After rebooting it's gone.

            However, I still get the Configuring firewall…Killed thing during bootup. It turns out that if I have both of my OpenVPN servers enabled during bootup this will happen. Disabling one or both allows a clean bootup.

            Ever since that mysterious syntax error occurred, the RADVD never starts up on bootup. I have to manually enable it. How can I force it to start automatically at bootup?

            The DNS forwarder also does not respond to DNS queries on IPv6 anymore.

            At this point I may just reinstall. Hopefully all of this will go away.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              Just cross-referencing the "Killed" problem - http://forum.pfsense.org/index.php/topic,54155.0.html - I have the same issue, usually when I have about 3 or more OpenVPN instances. Somewhere the startup must be running a bunch of things in parallel and running out of memory on the 256MB Alix. Once things are up, memory use is around 45%. The process that gets the "kill" is a bit random, so sometimes DHCP, DNS, one of the OpenVPN servers… is missing after startup. Someone has to use the GUI and restart whatever is dead in Status:Services.
              I really need to make time to understand the whole bootup flow and see how this could be fixed.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • D
                darkcrucible
                last edited by

                I wound up doing a clean install. With both VPNs the memory is around 65%. Having only 1 or 0 servers active seems to avoid any issues on the bootup. RADVD still doesn't start with bootup (is it just me that's seeing this?) and the DNS forwarder seems to not listen on the IPV6 LAN address.

                Connectivity works well enough once I start RADVD manually as the DNS forwarder listens on IPv4 still.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.