Bug #10716
closed
Policy routing rules are not written correctly for a down gateway
100%
Description
There are two options for the behaviour of policy routing rules that reference a gateway that is down.
The default behaviour is to omit the gateway from the rule but the rule itself in every other way remains.
The alternative behaviour, which is selected by enabling 'Skip rules when gateway is down', is to omit the rule entirely from the ruleset when the gateway is down.
Both are currently broken.
In the default mode when the gateway is down due to 100% packet loss it still appears as:
# Gateways GWGW2 = " route-to ( vtnet0 172.21.16.141 ) "
If it is marked down it appears as:
# Gateways GWGW2 = " "
In both cases a rule referencing it still contain the bad gateway, for example:
pass in quick on $LAN $GWGW2 inet proto tcp from any to 9.9.9.9 tracker 1593470028 flags S/SA keep state label "USER_RULE"
In the alternative mode it is different. If the gateway is down due to 100% packet loss it still appears as:
GWGW2 = " route-to ( vtnet0 172.21.16.141 ) "
And the rule referencing it is the same:
pass in quick on $LAN $GWGW2 inet proto tcp from any to 9.9.9.9 tracker 1593470028 flags S/SA keep state label "USER_RULE"
However when the gateway is marked down the gateway no appears inthe ruleset at all and the rule referencing it is replaced with:
# rule disabled because gateway GW2 is down label "USER_RULE"
That look like the expected behaviour but it is only triggered by manually marking the gateway down which is of limited use.
I suspect the code added here for that particular case is still in play but all other situations are no longer triggering anything.
https://github.com/pfsense/pfsense/pull/1594
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by Anonymous