After upgrading to OPNsense 26.1, PF is refusing to load the ruleset whenever a firewall rule uses rate‑limit / max‑src‑conn‑rate options.
The overload table names appear to be UUIDs, which exceed PF's maximum table‑name length.
This results in PF rejecting the entire ruleset.
Error output:
There were error(s) loading the rules: /tmp/rules.debug:317:
table name 'cc63f2df-3dc0-4fe5-a002-b8e7a2d5ade1' too long
The line in question reads [317]:
pass in quick on igc0 inet proto tcp from {any} to $ssh_ipv4 port {22}
keep state ( max 100 max-src-nodes 50 max-src-conn 20 max-src-states 3
tcp.established 300 max-src-conn-rate 2 /60,
overload <cc63f2df-3dc0-4fe5-a002-b8e7a2d5ade1> flush global )
label "4622edd3-7c20-497c-ba73-8c044b3cfcca" # SSH/RL/IPv4
Multiple similar UUID‑style table names are generated for other rules with rate‑limit settings, and PF rejects all of them.
Steps to reproduce
1. Create a firewall rule (e.g., SSH on WAN)
2. Open Advanced Options
3. Enable - Max src‑conn‑rate and Overload table alias.
4. Apply changes
5. PF fails to load ruleset with "table name too long"
For those who have the same issue - you can remove the overload alias from the rule until a fix has been applied.
Hello thanks for the report we are looking into it.
Quote from: Monviech (Cedrik) on Today at 01:38:30 PMHello thanks for the report we are looking into it.
Thank you.
Also related, the migration firewall rules import failed due to the same issue. Export of old firewall rules produced alias names rather than uuids. The only way I was able to import was to remove the overload table alias names from the csv.