Actions
Regression #12040
closed
Scheduled firewall rules failing to load
Start date:
06/15/2021
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Force Exclusion
Affected Version:
2.5.x
Affected Architecture:
All
Description
In 2.5.2-RC firewall rules with a schedule fail to load generating an error.
Tested using this config:
<rule>
<id></id>
<tracker>1623761655</tracker>
<type>reject</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>tcp</protocol>
<source>
<any></any>
</source>
<destination>
<address>1.1.1.1</address>
</destination>
<descr><![CDATA[Test Schedule]]></descr>
<sched>9to5</sched>
<created>
<time>1623761655</time>
<username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
</created>
<updated>
<time>1623761670</time>
<username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
</updated>
</rule>
And schedule:
<schedules>
<schedule>
<name>9to5</name>
<descr></descr>
<timerange>
<position>1,2,3,4,5</position>
<hour>9:00-17:00</hour>
<rangedescr></rangedescr>
</timerange>
<schedlabel>60c8a2cf2b439</schedlabel>
</schedule>
</schedules>
Generates this rule:
block return in quick on $LAN inet proto tcp from any to 1.1.1.1 tracker 1623761655 flags S/SA schedule "60c8a2cf2b439" label "USER_RULE: Test Schedule"
Fails to load generating this error:
There were error(s) loading the rules: /tmp/rules.debug:146: syntax error - The line in question reads [146]: block return in quick on $LAN inet proto tcp from any to 1.1.1.1 tracker 1623761655 flags S/SA schedule "60c8a2cf2b439" label "USER_RULE: Test Schedule"
Tested:
2.5.2-RC (amd64) built on Sun Jun 13 17:15:05 EDT 2021 FreeBSD 12.2-STABLE
Updated by Jim Pingle over 3 years ago
- Tracker changed from Bug to Regression
- Status changed from New to Feedback
- Assignee set to Jim Pingle
- % Done changed from 0 to 100
- Release Notes changed from Default to Force Exclusion
There were some commits for the latest pf changes which were not included in the last 2.5.2 build, but will be in the next build:
- 765277ba6d873847c6c5b5657877e9fb0cec4357 for schedules
- 0b817201399fb7252aeb09eca94362618728183f for keeping counter data between filter reloads
- 27a8acbb5455c3b3516d844024d9208ef23649bf for using the "tos" keyword rather than "dscp"
We should double check all of those before closing this out.
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to In Progress
The scheduled rules are loading, but 765277ba6d873847c6c5b5657877e9fb0cec4357 needs another fix to correct the pfctl syntax for killing states by label.
Fix coming momentarily.
Updated by Jim Pingle over 3 years ago
- Status changed from In Progress to Feedback
Applied in changeset 2afcd4527d4b245c7968bf7ac6b6c505259fe6c9.
Updated by Viktor Gurov over 3 years ago
- Status changed from Feedback to Resolved
works as expected on 2.5.2.r.20210617.1709:
# grep 12040test /tmp/rules.debug pass in quick on $LAN inet proto tcp from any to 1.1.1.1 tracker 1593067122 flags S/SA keep state label "s:60cd9a1615295" label "USER_RULE: 12040test" # pfctl -sr | grep 12040test pass in quick on vmx0 inet proto tcp from any to 1.1.1.1 flags S/SA keep state label "s:60cd9a1615295" label "USER_RULE: 12040test"
Actions