Bug #7173

[2.3.3+] Interface groups with a '-' (dash) in name are not handled correctly, breaking firewall rules

Added by Kill Bill 21 days ago. Updated 10 days ago.

Target version:
Start date:
Due date:
% Done:


Affected version:
Affected Architecture:


To reproduce:
- Create an interface group named like prefix-test
- Try to add some firewall rule there and save.

Alternative way to reproduce:
- Install tinc package
- Try to use the pkg-tinc interface in firewall rules


There were error(s) loading the rules: /tmp/rules.debug:149: macro 'prefix' not defined - The line in question reads [149]: pass in quick on $prefix-test inet from any to any tracker 1485799084 keep state label "USER_RULE"
@ 2017-01-30 17:58:07

Affected versions: RELENG_2_3 and master (no proper choice for 2.3.3 in Redmine).

Related forum thread (only linking the only useful post directly):

(And while there, the GUI should NOT let users delete an interface group with a reserved pkg- prefix in name while the package that created it is still installed.)

@rbgarga - these were your commits IIRC.

Associated revisions

Revision b835c2dd
Added by Phillip Davis 20 days ago

Fix #7173 Interface Group Name cannot contain dash

Revision 75e18196
Added by Renato Botelho 20 days ago

Fix #7173 Interface Group Name cannot contain dash


#1 Updated by Phillip Davis 20 days ago

The char set allowed should be the same as for Interfaces and Aliases.

#2 Updated by Phillip Davis 20 days ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Kill Bill 20 days ago

To get this really fixed, it's needed to

1/ revert a bunch of other commits that allowed that stuff specifically for use with packages (the pkg- prefix).
2/ do something about the tinc package

How about pkg_ instead of pkg-?

(Plus, can file a separate bug about the last remaining issue, i.e. that users shouldn't be allowed to mess with package-created interface groups, but that depends on 2/ above).

#4 Updated by Phillip Davis 19 days ago

To fix validation of Interface, Interface Group and Alias names.

#5 Updated by Phillip Davis 19 days ago

What other packages use the "pkg_" prefix to generate names in this namespace?

#6 Updated by Kill Bill 19 days ago

Heh, none that I'd know of ATM except tinc, but it simply needs to be something, so that some checking can be done for these cases (don't let use otherwise, don't let rename/delete while pkg is still installed, ...)

#7 Updated by Phillip Davis 19 days ago

I guess the package should be responsible for deleting the Interface Group as it uninstalls itself.
So the Interface Groups display and edit pages can always prevent delete/edit of "pkg_*" Interface Groups. From core code there will be no need to try to work out which package made the Interface Group and if that package is installed or not.

#8 Updated by Kill Bill 19 days ago

Yeah, I think it should behave like the IPsec/OpenVPN ones, they don't let you mess with those either. :) (Well, except that they are not listed as a group at all...)

#9 Updated by Jim Pingle 10 days ago

  • Category set to Interfaces
  • Target version changed from 2.4.0 to 2.3.3

#10 Updated by Renato Botelho 10 days ago

  • Status changed from Feedback to Resolved


Also available in: Atom PDF