Bug 202802

Summary: ipf reports error with broken rule, but places malformed rule anyway
Product: Base System Reporter: Jessica K. Litwin <jessica>
Component: binAssignee: freebsd-ipfw (Nobody) <ipfw>
Status: New ---    
Severity: Affects Many People CC: bugmeister
Priority: ---    
Version: 10.1-RELEASE   
Hardware: Any   
OS: Any   

Description Jessica K. Litwin 2015-08-31 23:43:22 UTC 
Hi,

Steps to duplicate:

1.) In an ipf.rules file you can place the following rule exactly as typed (with typo):

block in quick proto tcp from8.8.8.8/32 to any 


2.) load ipf with 'ipf -F -a -f /etc/ipf.rules' or similar:

# ipfstat -hi
empty list for ipfilter(in)
# ipfstat -ho
empty list for ipfilter(out)

# ipf -F -a -f /etc/ipf.rules 
syntax error error at "/", line 1


Expected result:  

ipf correctly reports a syntax error and does reload rules until the error is corrected.

Actual result: 

# ipfstat -hi 
2 block in quick proto tcp from any to any 
 

At this point the box is deaf to the world until the rule is removed, corrected, or ipf is flushed via console.
Comment 1 Jessica K. Litwin 2015-08-31 23:46:24 UTC 
i can duplicate this on ipf versios as far back as 4.1.28 (416), 
and my current freebsd 10 system using ipf 5.1.2 (464).
Comment 2 Jessica K. Litwin 2015-09-01 00:28:25 UTC 
also in my original post 'does reload rules' should read 'doesn't reload rules', sorry.
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2025-02-07 04:29:29 UTC 
^Triage: is this still a problem on supported versions of FreeBSD?