After upgrade from 2.2.3 to 2.2.4 errors loading rules
-
After upgrading from 2.2.3 to 2.2.4, all of my firewalls that have Alias URLs for hosts AND ports, produce the following error in the log:
php-fpm[74094]: /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:59: syntax error - The line in question reads [59]: rdr on igb1 proto tcp from $AliasForHosts to 1.2.3.4 port $AliasForPorts -> 192.168.1.1
Can anyone recommend a fix?
-
What do you have in the aliases AliasForHosts and AliasForPorts?
Do they show up looking reasonable in /tmp/rules.debug? Or empty?
In particular, any host names that are numbers?
There was a fix for if you had a host alias that contained just numbers (e.g. host name 123). And I am guessing there is some interesting combination of names and/or ports or… in you configuration.
-
AliasForHosts is a URL for a list of IP addresses in CIDR notation. i.e.:
1.2.3.4/32
5.6.7.8/32AliasForPorts is a URL for a list of ports:
80
443Both files have # for comments that describe entries.
The contents of /tmp/rules.debug has this:
table <aliasforhosts>{ 1.2.3.4/32 5.6.7.8/32 }
AliasForHosts = "<aliasforhosts>"
AliasForPorts = "{ }"Please let me know if you need anything else.
Thank you.</aliasforhosts></aliasforhosts>
-
The "fix" in /etc/inc/filter.inc was not considering URL Port alias type.
Does this make it happy?
https://github.com/pfsense/pfsense/pull/1792
-
I applied the patch via the "System Patches" package, but the result is the same. Did this patch work for you?
-
I don't have any URL Ports aliases. I was just checking the code and it seemed that the url_ports case had been missed. I will have to put a file of ports somewhere, make a URL Ports alias, reproduce the issue and really fix it :)
-
I made a dumb typo url_port should be url_ports
https://github.com/pfsense/pfsense/pull/1794