Pf Configuration Incompatible With Pf Program Version <EASY>

His stomach turned to ice. Current. Not -release . Not -stable . Someone—a junior with a cowboy hat and a cron job—had pointed their package repository to the bleeding-edge snapshots. And the new PF, the one in 7.5-current , had changed.

pfctl -sr | grep "api_sources"

Julian groaned, rubbing the sleep from his eyes. He was the senior NetOps engineer for a mid-sized cloud provider. Their edge was built on OpenBSD, chosen for the purity and rigor of its Packet Filter (PF). For seven years, it had been a silent, perfect stone wall. Until tonight.

pass in on $ext_if inet proto tcp from 10.88.12.0/24, 10.88.13.0/24 to port 8080 pf configuration incompatible with pf program version

“Firewall node gw-04-dfw in CARP backup state. Packet filter service failed to start.”

gw-04-dfw wasn't just in a backup state. It was a naked machine on the public internet, its interface wide open.

He never trusted -current again.

OpenBSD 7.5-current (GENERIC) #5

But he knew the real story. The firewall had been working fine. Until the moment it wasn't. And the difference between those two moments was a single line in a changelog no one had read, and a list of IP addresses wrapped in the wrong kind of curly braces.

Line 87. Julian scrolled through the config. Line 87 was a routine pass in rule for a backend API subnet. His stomach turned to ice

He pulled up the man page on his laptop. pf.conf(5) . There it was, buried in the "Migration Notes" for 7.5: The from <list> syntax has been deprecated for non-route-related filter rules. Use an anchor or table for multiple source prefixes. Direct lists in a pass in rule will now raise a fatal syntax error. A fatal error. Not a warning. Not a "this might break." A stone-cold, refuse-to-start fatal error.

Julian’s hands flew. He couldn’t rewrite the whole config at 3:30 AM. He had one shot.

It was clean. It had worked for eighteen months. He squinted. Then he saw it. The version banner from the last system upgrade, buried four scrolls up: Not -stable

pfctl -sr pfctl: DIOCGETRULES: Device not configured Not configured? That meant PF wasn’t even running. He checked the logs.