Project

General

Profile

Actions

Bug #11841

open

FRR access lists default bahavior changed to permit by default

Added by Gavin Owen 8 months ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
FRR
Target version:
-
Start date:
04/22/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.5.x
Affected Plus Version:
Affected Architecture:
All

Description

Free Range Routing's Access List behavior in pfSense 2.5.x has changed fundamentally from previous versions, changing from implicit "deny any" to implicit "permit any", with huge ramifications for dynamic routing protocols like OSPF and BGP.

In pfSense 2.4.5p1 I was redistributing some connected routes into OSPF by using an ACL in a distribute-list. I was not using an explicit “deny any” after my permit statements, as ACLs should always implicitly deny any at the end.

In pfSense 2.5.0 and 2.5.1, with testing the same configuration, I have an explosion of connected routes being redistributed and showing up on adjacent firewalls. After putting in an explicit "deny any" at the end of my ACLs, the routes have gone back to the normal expected pre-upgrade state.

If I put a "permit any" explicitly at the end (as apposed to "deny any'), then the results are no different to that line not being there. This tells me that the implicit default behavior of ACLs has now changed from "deny any", to "permit any". This has huge ramifications for anyone upgrading who uses ACLs, were they not to know about it (and why would they?)

Perhaps this is a feature, but I doubt it. Every bit of networking equipment I've used over the last 25 years whether it be Cisco, Huawei, Alcatel, Juniper or a slew of other products all default to implicit "deny any". Since earlier pfSense versions also followed this convention, I'd thus characterise this as a bug/regression.

BTW – I compared ACLs used as a distribute-list, and ACLs called within a route map, and the results were the same.

I am now using a prefix-list called from a route-map for this task with no explicit "deny any" at the end, and this is behaving correctly, so the issue seems to be limited only to access lists. I only tried the "Zebra" access list type. Feel free to try the other types. Also, I have only tried with OSPF and not BGP. Feel free to experiment with that.

Please see my sanitised info in the attached text file. Thanks.

PS. The interface is buggy for ACLs. The checkbox for "source any" doesn't save the first time. I had to go back in and toggle it for a second time to get it to stick. I noticed this repeatedly happening during my testing.


Files

access-list and prefix-list behaviors in pfsense 2.5.1.txt (5.52 KB) access-list and prefix-list behaviors in pfsense 2.5.1.txt Shows the issue of ACLs in pfsense 2.5.1 Gavin Owen, 04/22/2021 09:23 AM
Actions #1

Updated by Jim Pingle 8 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Routing to FRR
  • Release Notes deleted (Default)
Actions

Also available in: Atom PDF