WAF Rules - Lists not working?

What is the name of the domain?

any

What is the error number?

%s function forbidden fields, at index: 0

What is the error message?

%s function forbidden fields, at index: 0

What is the issue you’re encountering

WAF rule which has been in place for years now changed from showing in Expression Builder to only showing in text box, trying to save give “unsupported” message

What steps have you taken to resolve the issue?

Rewrite WAF rule step by step::
ip.geoip.asnum in {15169 396982} is OK
adding
and not ip.src in $googlebot_ip_lists
gives the above error
Have lists been dropped from being supported in the free tier now?

On further checking EVERY WAF rule now no longer works in Expression Builder even though the actual rule works

Looks like a bug?

Has lately been changed to ip.src.asnum and is deprecated as follows, but it still works (not in expression builder):

If you’re using Expression builder, please consider to replace and use this new one ip.src.asnum instead of ip.geoip.asnum.

1 Like

I’ve made the changes from ip.geoip.country to ip.src.country, and ip.geoip.asnum to ip.src.asnum - but still get the same error, and found a new one

But there is a bug in that WAF no longer see my list $googlebot_ip_lists and just give me a “no lists” message, with a link to “manage lists” which then shows my list

Further to that even if I simplify the rule right down to just being if in ASN is in a few ASN’s it still gives the original error message - it looks like once it has raised “%s function forbidden fields, at index: 0” then even a very simple rule gets the error, and there is something wrong with the way its not getting my list

Does it still exist under the sidebar menu Manage Account → Configurations → then select Lists? :thinking:

Are you using IP addresses and/or IP ranges as CIDR format? :thinking:
Using both IPv4 and IPv6 or only one of them in the lists?

Have you tried to retrive the list and result via Cloudflare API, just in case, to cross-check the response and if there’s any error via API as well? :thinking:

Yes, menu option is there, and the link in Expression builder for “manage lists” takes me there, and I can see, open, and edit, my list - it just doesnt seem happy that it exists when trying to use it

I will have a play with the API

Thanks for the help

API returns:

C:\Users\Buster>curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rules/lists \ -H “X-Auth-Email: $CLOUDFLARE_EMAIL” \ -H “X-Auth-Key: $CLOUDFLARE_API_KEY”
{
“result”: [
{
“id”: “$LIST_ID”,
“name”: “googlebot_ip_lists”,
“kind”: “ip”,
“num_items”: 200,
“num_referencing_filters”: 0,
“created_on”: “2022-10-29T21:45:39Z”,
“modified_on”: “2022-10-29T21:50:09Z”
}
],
“success”: true,
“errors”: ,
“messages”:
}
curl: (3) URL rejected: Bad hostname
curl: (3) URL rejected: Bad hostname

And list items gets me the items in the list

And I’m now getting “500 Internal Server Error” on any page refresh so looks like there may be some background issues going on as well

May I ask if you could try using an Incognito Mode (Private Window) or did you tried using a different Web browser already? :thinking:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

What is the name of the domain?

All my domains

What is the error number?

%s function forbidden fields, at index: 0

What is the error message?

%s function forbidden fields, at index: 0

What is the issue you’re encountering

Cannot create any WAF rules, been having an ongoing issue with the error message “%s function forbidden fields, at index: 0” for a while, previous topic got closed as I was still trying all sorts to find a cause

What steps have you taken to resolve the issue?

Create a simple rule:
(ip.src.country eq “US” and not ip.src.asnum in {8075 15169 13335 32934 714 13649})
Save
Get error
Tried: incognito, different browser, etc., etc., There appears to be a bug where once you have got the above error anything you try to change just gives the same error
As previous ticket: Lists no longer work in Free tier, WAF rules that use lists no longer work, look like some major bugs were introduced when the changes were made e.g. ip.geoip.country changed to ip.srs.country etc. which has broken any WAF rule that uses them

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

Create a simple rule:
(ip.src.country eq “US” and not ip.src.asnum in {8075 15169 13335 32934 714 13649})
Save
Get error

Those look like smart quotes. Try this:
(ip.src.country eq "US" and not ip.src.asnum in {8075 15169 13335 32934 714 13649})

I think its just the cut and paste as I created it in the expression builder and then copied from the text area to make sure it was created correctly as I’ve been having this issue for a few weeks now - any change to any WAF rule fails with the same error

Lists no longer work in the free tier for me - they can be put in the text editor but in the expression builder it tells me I have no lists and gives a link to the lists, follow the link and it shows my list, but the list doesnt appear in the drop down

Any rule that had the old ip.geoip.* notation in it no longer works, text is displayed but cannot be edited

Changing any rule that uses ip.geoip to ip.src gets the same error

Creating a new rule using expression builder just gives the same error - as I cannot use WAF rules I implemented some redirect rules to just use most of the same logic to redirect to nowhere which appears to be more effective than giving people a blocked screen - attempts from ASN8075 dropped from 200k+ a day to a few tens of attempts when redirected nowhere rather than just giving a Cloudflare blocked screen but I’d like to be able to use WAF rules

OK, wierd:

Create the WAF rule in the text editor but use the old ip.geoip.* notation and you dont get the error and the WAF rule is created
BUT
Click on “Use Expression Builder”, get the error about unsupported syntax so fix the ip.geoip.* to ip.src.* and the expression builder shows the rule, but then click on Save and you are back to the %s function forbidden fields, at index: 0 error

So: WAF rules are stuffed - you cant create them, you cant edit them, and any that use the old syntax no longer work - looks like a pretty serious bug to me???

Anyone got any idea why lists cant be used any more?

EVERY edit of WAF rules just gives: “%s function forbidden fields, at index: 0”

Anyone got any ideas how I can get Cloudflare to look at this major bug?

Cant raise a ticket
Cant use WAF
Cant get any response

Workaround is currently to use redirect rules but thats not a proper result - there is some bug / issue with my account that is causing the “%s function forbidden fields, at index: 0”

@sdayman - Any ideas? This looks like its an account issue but there is no way for me to raise anything other than here

Using interface “visual” or with Expression editor? :thinking:

Did you lately downgraded your plan type for your zone?

May I ask if you see “Firewall Rules” or “Custom Rules” tab on the WAF page? Wonder if you’re using legacy WAF rules vs New WAF rules :thinking:

Doesnt matter which editor I use, same result, whats odd is that only one of my rules opens in the click and select area at the top, they all open in the text editor, and are in the old syntax, if I correct the syntax I can get them to appear in the top section, but lose the list, so tried removing the list reference but still get the same error

If I create a rule in the click & create section, even a simple “ASNum = … and not bot”, gets error

If I open an old rule - which isnt blocking anything anymore - and try to edit it I can correct the text editor text so that I can get it in the click & select section, but same error when saving

Even a single line ASN = … rule gets the same error

Not downgraded, never upgraded from free, list cant be selected but the link to manage lists then shows the list !

I see the old “Firewall Rules” header so I only get option for old WAF rules? Wonder if thats the issue?

Cheers for the help - I’m at the point of giving up as I’m using redirect rules to redirect unwanted traffic rather than being able to use WAF rules to block it

Shouldnt I have been upgraded to the “Custom Rules” option at some point? I will check if any of my other domains get that option

Just checked and I get the Custom Rules option in a different domain - will setup the same rule in that domain and see what happens