Pf Configuration Incompatible With Pf Program Version -

pfctl -sr | grep "api_sources"

He pulled up the man page on his laptop. pf.conf(5) . There it was, buried in the "Migration Notes" for 7.5: The from <list> syntax has been deprecated for non-route-related filter rules. Use an anchor or table for multiple source prefixes. Direct lists in a pass in rule will now raise a fatal syntax error. A fatal error. Not a warning. Not a "this might break." A stone-cold, refuse-to-start fatal error.

His stomach turned to ice. Current. Not -release . Not -stable . Someone—a junior with a cowboy hat and a cron job—had pointed their package repository to the bleeding-edge snapshots. And the new PF, the one in 7.5-current , had changed. pf configuration incompatible with pf program version

The rule was there. Clean. PF was running. CARP sync re-established. The pager fell silent.

/var/log/messages: pfctl: /etc/pf.conf:87: syntax error /var/log/messages: pfctl: /etc/pf.conf:87: rule expands to a non-list element pfctl -sr | grep "api_sources" He pulled up

“Firewall node gw-04-dfw in CARP backup state. Packet filter service failed to start.”

He wrote his post-mortem at dawn. Title: "PF_CONFIG_VERSION vs. PF_PROGRAM_VERSION: A Case of Silent Deprecation." Use an anchor or table for multiple source prefixes

gw-04-dfw wasn't just in a backup state. It was a naked machine on the public internet, its interface wide open.