PF Wrong Error Line Number Given by PF syntax checker

DD

DD

Since we upgraded from 8 to 9 we noticed that the PF syntax parser counts lines with "\" as a single line. That makes VERY difficult to find the incorrect line on sizable configuration files making the information basically useless.

Is this happening just to us? Am I supposed to use something different to split long lines?
 
I'm not seeing the same behaviour on 10.1 so it must have been fixed sometime in between FreeBSD 9 (which version exactly?) and 10.1.
 
  • Thanks
Reactions: DD
kpa said:
I'm not seeing the same behaviour on 10.1 so it must have been fixed sometime in between FreeBSD 9 (which version exactly?) and 10.1.
Click to expand...

After you mentioned it I tried on our 10.1-RELEASE-p13 firewalls and it does not show the issue.

It's a 9.3-RELEASE-p17. RE: Exact version
 
My 9.3-STABLE shows the correct line, regardless of the line breaks.

Code: 
FreeBSD maelcum.dicelan.home 9.3-STABLE FreeBSD 9.3-STABLE #3 r282148: Tue Apr 28 23:06:02 CEST 2015     root@tessier-ashpool.dicelan.home:/usr/obj/usr/src/sys/MAELCUM  amd64

I see it's a bit old, I'll update it to the latest and test again. Perhaps it's something that happened in between updates.
 
  • Thanks
Reactions: DD
I'm going to ask a stupid question: How long is going to take, roughly, before the "fix" gets committed into Release?

I have to upgrade another, very sensitive, firewall and I can't afford two reboot windows. I know, I should use CARP and Pfsych, I will... when I have the time to actually implement it.

BTW: Thanks for the answers, help of any kind is always very much appreciated.
 
I may be wrong but I believe only security patches are provided to release systems, and this probably doesn't get classed as that. As such, you may have to wait for the next full release, which doesn't appear to be happening for the 9.x branch.

So it seems you may have to upgrade to 10.1 if you really need the line number reporting to be corrected.
 
  • Thanks
Reactions: DD
I did a quick test on a FreeBSD 9.3-RELEASE-p17 at work and it's showing the correct line where the error is.
 
  • Thanks
Reactions: DD
SirDice said:
I did a quick test on a FreeBSD 9.3-RELEASE-p17 at work and it's showing the correct line where the error is.
Click to expand...

That's weird... we have three firewalls that show the issue. All of them went through the same upgrade path though. I wonder what it can be.
 
usdmatt said:
I may be wrong but I believe only security patches are provided to release systems, and this probably doesn't get classed as that. As such, you may have to wait for the next full release, which doesn't appear to be happening for the 9.x branch.

So it seems you may have to upgrade to 10.1 if you really need the line number reporting to be corrected.
Click to expand...

I was taking it into consideration, as a policy my company never use the latest version but in this case I might close both eyes if it gets me around the issue.
 
Used this to test, /etc/pf.conf:
Code: 
pass in \
on em0 \
from a to b
It should fail on line 3:

Code: 
# pfctl -nf /etc/pf.conf
no IP address found for a
/etc/pf.conf:3: could not parse host specification
 
  • Thanks
Reactions: DD
DD said:
I was taking it into consideration, as a policy my company never use the latest version but in this case I might close both eyes if it gets me around the issue.
Click to expand...

Errors that can be fixed without breaking the so called "Stale ABI" (https://en.wikipedia.org/wiki/Application_binary_interface) can be potentially merged into RELEASE, there have been quite a few errata fixes already in 9.3 and 10.1:

https://www.freebsd.org/security/notices.html

I'm not sure though where the line is drawn whether the issue is serious enough to fixed in a release.
 
  • Thanks
Reactions: DD
Just for extra confusion from an old test VM :/

Code: 
# uname -r
9.2-RELEASE
# cat -n test.conf
     1  pass in \
     2  on em0
     3
     4  # comment above line 5
     5  from a to b
# pfctl -nf test.conf
test.conf:5: syntax error
 
  • Thanks
Reactions: DD
SirDice said:
Used this to test, /etc/pf.conf:
Code: 
pass in \
on em0 \
from a to b
It should fail on line 3:

Code: 
# pfctl -nf /etc/pf.conf
no IP address found for a
/etc/pf.conf:3: could not parse host specification
Click to expand...

The issue seems to present itself only when you split macros, like so:
Code: 
internal_net="{ 192.168.0.0/24 \
192.168.1.0/24 192.168.2.0/24 }"
 
kpa said:
Errors that can be fixed without breaking the so called "Stale ABI" (https://en.wikipedia.org/wiki/Application_binary_interface) can be potentially merged into RELEASE, there have been quite a few errata fixes already in 9.3 and 10.1:

https://www.freebsd.org/security/notices.html

I'm not sure though where the line is drawn whether the issue is serious enough to fixed in a release.
Click to expand...

It seems to me like this one is a pretty annoying and I would say big issue. But it might be just me.
 
Also, I tested it wrong. Our 10.1-RELEASE-p13 servers have the same issue.
 
Can someone please confirm my findings so I can think about opening a bug report?

Thanks. :)
 
On an updated 9.3-STABLE:
Code: 
root@maelcum:~ # cat -n pf.test
     1  internal_net="{ 192.168.0.0/24 \
     2  192.168.1.0/24 192.168.2.0/24 }"
     3
     4  pass in on em0 \
     5  from a to b
root@maelcum:~ # pfctl -nf pf.test
no IP address found for a
pf.test:4: could not parse host specification
root@maelcum:~ # uname -a
FreeBSD maelcum.dicelan.home 9.3-STABLE FreeBSD 9.3-STABLE #4 r284871: Fri Jun 26 17:29:29 CEST 2015     root@tessier-ashpool.dicelan.home:/usr/obj/usr/src/sys/MAELCUM  amd64
root@maelcum:~ #

It does indeed look like the macro is seen as one line and the rule isn't.
 
  • Thanks
Reactions: DD
Same thing here on FreeBSD 11.0-CURRENT r284051 and 10.1-RELEASE.

On OpenBSD 5.7 pfctl(8) reports
Code: 
no IP address found for a
pf.conf:5: could not parse host specification
 
  • Thanks
Reactions: DD
You must log in or register to reply here.
Back
Top