Pf Configuration Incompatible With Pf Program Version Apr 2026

The alert came in at 03:14, which meant the on-call pager was now a small, vibrating god of wrath on Julian’s nightstand.

OpenBSD 7.5-current (GENERIC) #5

He never trusted -current again.

Julian’s hands flew. He couldn’t rewrite the whole config at 3:30 AM. He had one shot. pf configuration incompatible with pf program version

pass in on $ext_if inet proto tcp from 10.88.12.0/24, 10.88.13.0/24 to port 8080

/var/log/messages: pfctl: /etc/pf.conf:87: syntax error /var/log/messages: pfctl: /etc/pf.conf:87: rule expands to a non-list element

gw-04-dfw wasn't just in a backup state. It was a naked machine on the public internet, its interface wide open. The alert came in at 03:14, which meant

Julian groaned, rubbing the sleep from his eyes. He was the senior NetOps engineer for a mid-sized cloud provider. Their edge was built on OpenBSD, chosen for the purity and rigor of its Packet Filter (PF). For seven years, it had been a silent, perfect stone wall. Until tonight.

pfctl -sr | grep "api_sources"

pfctl -f /etc/pf.conf

Julian leaned back. The problem wasn't malice. It wasn't a hacker. It was a ghost in the machine: a mismatch between the intent of a config (written for a forgiving world) and the reality of a program (now pedantic, unforgiving).

But he knew the real story. The firewall had been working fine. Until the moment it wasn't. And the difference between those two moments was a single line in a changelog no one had read, and a list of IP addresses wrapped in the wrong kind of curly braces.

He wrote his post-mortem at dawn. Title: "PF_CONFIG_VERSION vs. PF_PROGRAM_VERSION: A Case of Silent Deprecation." He couldn’t rewrite the whole config at 3:30 AM