Project

General

Profile

Bug #11861

Error loading rules in certain cases where an interface is temporarily without an address

Added by Jim Pingle about 2 months ago. Updated 18 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
04/27/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

Had an interface event on my edge firewall yesterday where one WAN lost its interface address and resulted in an invalid ruleset:

23:46:41 There were error(s) loading the rules: /tmp/rules.debug:397: syntax error - The line in question reads [397]: pass  out  quick  on {  igb2  }  $GWCABLE inet from ! to any tracker 1617722899 keep state  dnqueue( 2,1)  label "USER_RULE: CoDel Limiters" 

This particular floating rule is quirky as it passes outbound with a gateway set to setup limiters. The source address is "NOT <other WAN address>" and that other WAN is PPPoE. This is necessary to ensure it doesn't try to send non-default-WAN traffic out through that limiter unintentionally.

It doesn't happen every time, but in this case, the PPPoE connection was down temporarily and rather than skipping that rule as it usually does, the address ended up empty.

Seems like there should be another safety belt which checks the src/dst addresses before forming the rule. I have a feeling it's only checking for empty and the negation ("!") throws it off.

I can't reproduce this at will, unfortunately, so it will be tricky to confirm and test.

Associated revisions

Revision 5401382a (diff)
Added by Jim Pingle about 2 months ago

Test for empty negated addrs in pf rules. Fixes #11861

Revision dcf96e88 (diff)
Added by Jim Pingle about 2 months ago

Test for empty negated addrs in pf rules. Fixes #11861

(cherry picked from commit 5401382ae85e57cd475d9460cde5732b755525a0)

History

#1 Updated by Jim Pingle about 2 months ago

As luck would have it that WAN just failed again and I was able to confirm that the fix I checked in corrects the problem.

: grep -i CoDel /tmp/rules.debug
# source address is empty.  label "USER_RULE: CoDel Limiters" 

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Jim Pingle about 1 month ago

  • Plus Target Version set to 21.05

#4 Updated by Jim Pingle about 1 month ago

Already in 21.05 branch.

#5 Updated by Jim Pingle about 1 month ago

  • Subject changed from Error loading rules in case where interface is temporarily without an address to Error loading rules in certain cases where an interface is temporarily without an address

Updating subject for release notes.

#6 Updated by Jim Pingle 24 days ago

  • Status changed from Feedback to Closed

This has not recurred for me since the fix went in. Calling it solved.

#7 Updated by Jim Pingle 18 days ago

  • Target version changed from 2.6.0 to 2.5.2

Also available in: Atom PDF