Bug #11861
closedError loading rules in certain cases where an interface is temporarily without an address
100%
Description
Had an interface event on my edge firewall yesterday where one WAN lost its interface address and resulted in an invalid ruleset:
23:46:41 There were error(s) loading the rules: /tmp/rules.debug:397: syntax error - The line in question reads [397]: pass out quick on { igb2 } $GWCABLE inet from ! to any tracker 1617722899 keep state dnqueue( 2,1) label "USER_RULE: CoDel Limiters"
This particular floating rule is quirky as it passes outbound with a gateway set to setup limiters. The source address is "NOT <other WAN address>" and that other WAN is PPPoE. This is necessary to ensure it doesn't try to send non-default-WAN traffic out through that limiter unintentionally.
It doesn't happen every time, but in this case, the PPPoE connection was down temporarily and rather than skipping that rule as it usually does, the address ended up empty.
Seems like there should be another safety belt which checks the src/dst addresses before forming the rule. I have a feeling it's only checking for empty and the negation ("!") throws it off.
I can't reproduce this at will, unfortunately, so it will be tricky to confirm and test.
Updated by Jim Pingle over 3 years ago
As luck would have it that WAN just failed again and I was able to confirm that the fix I checked in corrects the problem.
: grep -i CoDel /tmp/rules.debug # source address is empty. label "USER_RULE: CoDel Limiters"
Updated by Jim Pingle over 3 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 5401382ae85e57cd475d9460cde5732b755525a0.
Updated by Jim Pingle over 3 years ago
- Subject changed from Error loading rules in case where interface is temporarily without an address to Error loading rules in certain cases where an interface is temporarily without an address
Updating subject for release notes.
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Closed
This has not recurred for me since the fix went in. Calling it solved.
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2