Project

General

Profile

Actions
Copy link

Bug #10726

open

Sticky-connections option is bugged - sticky-address cannot be redefined

Added by Fritz Lakritz over 5 years ago. Updated almost 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/04/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

As already described in https://forum.netgate.com/topic/154821/strange-firewall-rules-behaviour-with-sticky-connections, sticky connections are bugged.

The setup is:
PfSense 2.4.5_p1, a WAN-PPPoE Gateway, a Gateway-Group with 3 OpenVPN-Gateways and all of them as Tier 1 (Load-Balancing). If sticky connections will be enabled and the Gateways are connected, i get errors "There were error(s) loading the rules: /tmp/rules.debug:928: sticky-address cannot be redefined" with ICMP rules.

```
There were error(s) loading the rules: /tmp/rules.debug:928: sticky-address cannot be redefined - The line in question reads [928]: pass in quick on $VLAN_GUEST $GWVPN_Gateway inet proto icmp from $network_guest_vpn to any icmp-type { echorep,echoreq,paramprob,squench,timex,unreach } tag "vpntraffic" tracker 1568891569 keep state label "USER_RULE: Allow defined ICMP"
@ 2020-06-26 12:28:12
```

This is the rule:
```
<rule>
<id></id>
<tracker>1568891569</tracker>
<type>pass</type>
<interface>opt2</interface>
<ipprotocol>inet</ipprotocol>
<tag>vpntraffic</tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>icmp</protocol>
<icmptype>echorep,echoreq,paramprob,squench,timex,unreach</icmptype>
<source>
<address>network_guest_vpn</address>
</source>
<destination>
<any></any>
</destination>
<descr><![CDATA[Allow defined ICMP]]></descr>
<gateway>VPN_Gateway</gateway>
<created>
<time>1568891569</time>
<username><![CDATA[ (Local Database)]]></username>
</created>
<updated>
<time>1579638983</time>
<username><![CDATA[ (Local Database)]]></username>
</updated>
```

The firewall-rule should be okay, it works without sticky connection really good. Then is just tried to delete my rule to see what happens, i have nearly the same rule for another interface too. As soon as i deleted it, the next rule shows an error..

```
There were error(s) loading the rules: /tmp/rules.debug:1015: sticky-address cannot be redefined - The line in question reads [1015]: pass in quick on $VLAN_PRIVATE $GWVPN_Gateway inet proto icmp from $network_private_vpn to any icmp-type { echorep,echoreq,paramprob,squench,timex,unreach } tag "vpntraffic" tracker 1579638453 keep state label "USER_RULE: Allow defined ICMP"
@ 2020-06-26 12:38:37
```

This is the rule:
```
<rule>
<id></id>
<tracker>1579017667</tracker>
<type>pass</type>
<interface>opt3</interface>
<ipprotocol>inet</ipprotocol>
<tag>nonvpntraffic</tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>icmp</protocol>
<icmptype>echorep,echoreq,paramprob,squench,timex,unreach</icmptype>
<source>
<address>network_private</address>
</source>
<destination>
<any></any>
</destination>
<descr><![CDATA[Allow defined ICMP]]></descr>
<gateway>WAN_PPPOE</gateway>
<created>
<time>1579017667</time>
<username><![CDATA[ (Local Database)]]></username>
</created>
<updated>
<time>1579638306</time>
<username><![CDATA[ (Local Database)]]></username>
</updated>
```

Actions
Copy link
 #1

Updated by Viktor Gurov over 5 years ago

  • Category set to Rules / NAT
  • Affected Version set to 2.4.5-p1

seems pfctl icmp-type + sticky-address issue,
but only if you select icmp message types (icmp any works fine),
same error with IPv6 ICMP,
same on 2.5 snapshots

See also #2493

Actions
Copy link
 #2

Updated by Fritz Lakritz over 5 years ago

It looks like, that bug has not been resolved since 8 years..
https://redmine.pfsense.org/issues/2493

Actions
Copy link
 #3

Updated by Viktor Gurov over 5 years ago

https://github.com/pfsense/FreeBSD-src/blob/devel-12/sbin/pfctl/parse.y#L4133-L4137:

| STICKYADDRESS    {
            if (filter_opts.marker & POM_STICKYADDRESS) {
                yyerror("sticky-address cannot be redefined");
                YYERROR;
            }

for some reason POM_STICKYADDRESS is not cleared when using ICMP/ICMPv6 with any option (which sets 'filter_opts.marker')

Actions
Copy link
 #4

Updated by Viktor Gurov almost 5 years ago

  • Affected Version changed from 2.4.5-p1 to 2.5.0
Actions
Copy link

Also available in: Atom PDF