Project

General

Profile

Actions

Bug #11861

closed

Error loading rules in certain cases where an interface is temporarily without an address

Added by Jim Pingle over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
04/27/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

Had an interface event on my edge firewall yesterday where one WAN lost its interface address and resulted in an invalid ruleset:

23:46:41 There were error(s) loading the rules: /tmp/rules.debug:397: syntax error - The line in question reads [397]: pass  out  quick  on {  igb2  }  $GWCABLE inet from ! to any tracker 1617722899 keep state  dnqueue( 2,1)  label "USER_RULE: CoDel Limiters" 

This particular floating rule is quirky as it passes outbound with a gateway set to setup limiters. The source address is "NOT <other WAN address>" and that other WAN is PPPoE. This is necessary to ensure it doesn't try to send non-default-WAN traffic out through that limiter unintentionally.

It doesn't happen every time, but in this case, the PPPoE connection was down temporarily and rather than skipping that rule as it usually does, the address ended up empty.

Seems like there should be another safety belt which checks the src/dst addresses before forming the rule. I have a feeling it's only checking for empty and the negation ("!") throws it off.

I can't reproduce this at will, unfortunately, so it will be tricky to confirm and test.

Actions

Also available in: Atom PDF