Bug #11861
closedError loading rules in certain cases where an interface is temporarily without an address
100%
Description
Had an interface event on my edge firewall yesterday where one WAN lost its interface address and resulted in an invalid ruleset:
23:46:41 There were error(s) loading the rules: /tmp/rules.debug:397: syntax error - The line in question reads [397]: pass out quick on { igb2 } $GWCABLE inet from ! to any tracker 1617722899 keep state dnqueue( 2,1) label "USER_RULE: CoDel Limiters"
This particular floating rule is quirky as it passes outbound with a gateway set to setup limiters. The source address is "NOT <other WAN address>" and that other WAN is PPPoE. This is necessary to ensure it doesn't try to send non-default-WAN traffic out through that limiter unintentionally.
It doesn't happen every time, but in this case, the PPPoE connection was down temporarily and rather than skipping that rule as it usually does, the address ended up empty.
Seems like there should be another safety belt which checks the src/dst addresses before forming the rule. I have a feeling it's only checking for empty and the negation ("!") throws it off.
I can't reproduce this at will, unfortunately, so it will be tricky to confirm and test.