https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-06-29T09:19:56ZpfSense bugtrackerpfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=547892021-06-29T09:19:56ZJim Pingle
<ul><li><strong>Target version</strong> set to <i>2.6.0</i></li><li><strong>Plus Target Version</strong> set to <i>21.09</i></li></ul> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=547902021-06-29T09:23:58ZJim Pingle
<ul></ul><p>Another random thought, it <em>might</em> be possible to leverage this to help with multi-wan (like <a class="issue tracker-1 status-11 priority-4 priority-default closed" title="Bug: Selectively killing states on WAN failure (Duplicate)" href="https://redmine.pfsense.org/issues/8555">#8555</a>) since we could kill states for rule(s) using a gateway or group including a down gateway along with the ID of outbound rule(s) on the failed WAN (automatic and also floating rules). Worth investigating, but may not pan out.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=548022021-06-29T16:14:40Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p>@Jim yes that would be a godsend for multiwan if it works out. I always dreamed of being able to kill specific states that were tagged with a certain label (e.g. SIP connections) during failback events, but the best I was able to do was cobble together hacky shell scripts involving cron, pfctl, grep & awk... this would be so much nicer. I hope it's in the cards.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=548032021-06-29T16:35:14ZJim Pingle
<ul></ul><p>→ luckman212 wrote:</p>
<blockquote>
<p>@Jim yes that would be a godsend for multiwan if it works out. I always dreamed of being able to kill specific states that were tagged with a certain label (e.g. SIP connections) during failback events, but the best I was able to do was cobble together hacky shell scripts involving cron, pfctl, grep & awk... this would be so much nicer. I hope it's in the cards.</p>
</blockquote>
<p>Even if this doesn't work out like I'm hoping you could script it easier with a rule label like "SIP connections" to match what you want and then <code>pfctl -k label -k "USER_RULE: SIP connections"</code> to kill the connections matching that rule. Make sure to match in and out using the same label and it should catch them all.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=548062021-06-30T10:16:28ZMarcos M
<ul></ul><p>Note on "That also assumes the rule has an ID in its configuration, which we may need to check is always true."</p>
<p>This indeed should be taken into account. I've come across more than a handful of configurations were there existed rules without an ID, likely because the upgrade path for that was never hit.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=559172021-08-24T08:00:26ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>21.09</i> to <i>22.01</i></li></ul><p>Moving ahead, still needs more thought/planning about how best to approach this</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=571492021-10-27T12:11:14ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.6.0</i> to <i>CE-Next</i></li><li><strong>Plus Target Version</strong> changed from <i>22.01</i> to <i>22.05</i></li></ul> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=595922022-03-07T14:30:51ZJim Pingle
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> changed from <i>CE-Next</i> to <i>2.7.0</i></li></ul> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=595942022-03-07T14:34:31ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>Adding basic functions here is pretty straightforward. It's easy enough to add a means to kill states created by a rule, though it's a little counterintuitive.</p>
<p>Killing by tracker ID will kill the states created by the rule with that ID, which is expected, but there will nearly always be another state as the connection exits the firewall and there isn't a way to associate that and kill it, too. But killing the one may be good enough for now.</p>
<p>Same story for killing states created by policy routing rules using a given gateway and group. We can find and kill the states created by the rules with the gateway/group set on them but not the egress states. This may be good enough, though, since we can kill the egress states without much trouble as is (e.g. kill states on WANX when WANX goes down, then kill any states created by GW_WANX).</p>
<p>I'll have some test code for this soon, at least for the manual state killing parts.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=595972022-03-08T07:40:01ZJim Pingle
<ul></ul><p>The more I consider how this might work the less sure I am that the gateway part would be useful in a way most users would expect. Users would expect that it would kill any state using the gateway, even gateway groups, but it wouldn't be that precise. If a rule uses a gateway group it would have to kill any state using that group, not just states hitting that rule using a specific gateway inside the group. Granted that's still better than killing all states everywhere on gateway failure, but it may require extra clarification in the GUI and/or docs.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=595982022-03-08T09:32:21ZJim Pingle
<ul></ul><p>Kristof let me know that we do also have <code>pfctl -k gateway -k x.x.x.x</code> which would fill the missing pieces in here. It's not in the man page or command help so I missed that it was available again.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=596242022-03-09T08:06:56ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Utilize new ``pfctl`` ability to kill states by label</i> to <i>Utilize new ``pfctl`` abilities to kill states</i></li></ul><p>Updating subject as this has evolved a bit to encompass both killing by label for rule IDs and killing by gateway.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=596772022-03-11T07:25:08ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="New methods for killing states. Implements #12092" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/c5d0d75dbdb11753fb95b3ffb933e546d49924ca">c5d0d75dbdb11753fb95b3ffb933e546d49924ca</a>.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=596792022-03-11T08:00:44ZJim Pingle
<ul></ul><p>These changes will be available in snapshots soon. It grew a little bit since the initial description but it ended up better overall as there were problems with the original approach that are mostly solved by the different approach I ended up using.</p>
<ul>
<li>Added action on firewall rule list to kill states on an interface created by a specific rule (from firewall rule list)</li>
<li>Added action on gateway status page to kill states created by policy routing rules using a specific gateway name (from gateway status page)</li>
<li>Added action on gateway status page to kill states using the default gateway (0.0.0.0 or ::) -- these options match states from rules that DO NOT use policy routing or reply-to.</li>
<li>Added action on gateway status and gateway group page to kill states by gateway IP address (catches route-to/policy routing and reply-to, both inbound and outbound)</li>
<li>Added action on gateway group status page to kill states created by policy routing rules using a specific gateway group name (catching anything that hits rules without route-to)</li>
<li>Change global state killing option to be granular (none, all down, flush all)</li>
<li>Add per-gateway option to override global behavior (use default, do not kill, kill when down)</li>
<li>Improve logic when determining which gateways are considered in state killing behavior.</li>
<li>Log action when killing states</li>
<li>Upgrade code to convert old setting to new format</li>
</ul>
<p>I started a forum thread with additional information and for feedback: <a class="external" href="https://forum.netgate.com/topic/170690/new-state-killing-mechanisms-12092">https://forum.netgate.com/topic/170690/new-state-killing-mechanisms-12092</a></p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=596802022-03-11T08:12:09ZJim Pingle
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-3 priority-3 priority-low2 closed" href="/issues/12931">Feature #12931</a>: Retain knowledge of previous dynamic gateway IP address when interface is down</i> added</li></ul> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=596842022-03-11T08:13:44ZJim Pingle
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-11 priority-4 priority-default closed" href="/issues/8555">Bug #8555</a>: Selectively killing states on WAN failure</i> added</li></ul> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=596862022-03-11T08:14:18ZJim Pingle
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-3 priority-4 priority-default closed" href="/issues/855">Feature #855</a>: Ability to selectively kill states on gateway recovery</i> added</li></ul> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=597302022-03-14T10:46:01ZJim Pingle
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-4 priority-default closed" href="/issues/12942">Bug #12942</a>: Code to kill states for old gateway when reconnecting an interface is incorrect</i> added</li></ul> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=615582022-05-31T13:49:41ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li></ul><p>This has been working well for a while now. Any issues we hit from here can be addressed separately.</p> pfSense - Feature #12092: Utilize new ``pfctl`` abilities to kill stateshttps://redmine.pfsense.org/issues/12092?journal_id=655362023-02-06T10:48:50ZMarcos M
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/13934">Bug #13934</a>: Killing states by gateway can miss some IPv6 outbound states</i> added</li></ul>