Actions
Regression #12287
closed
State table entry rule ID does not contain the expected value
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
22.01
Release Notes:
Force Exclusion
Affected Version:
2.6.0
Affected Architecture:
Description
On snapshots the rule number in the state table data does not contain the expected value
all tcp 198.51.100.104:443 <- 198.51.100.142:43958 FIN_WAIT_2:FIN_WAIT_2 [2501411308 + 2147156224] wscale 7 [2163627184 + 4278255872] wscale 7 age 750314:22:56, expires in 00:00:00, 36:45 pkts, 4179:19880 bytes, rule 1744830464 id: 1caa1f6100000002 creatorid: be86b95f gateway: 198.51.100.1 origif: vtnet0
: pfctl -vvsr | egrep 1744830464 :
It should show the rule number from this entry:
\@104(1617118076) pass in quick on vtnet0 reply-to (vtnet0 198.51.100.1) inet from <RemoteAdmin:0> to (self:1) flags S/SA keep state label "USER_RULE: Allow Remote Admin to this firewall (permissive)"
It behaves as expected on the current release, but is broken on snapshots.
Updated by Jim Pingle over 3 years ago
- Release Notes changed from Default to Force Exclusion
- Affected Version set to 2.6.0
Updated by Kristof Provost over 3 years ago
- Status changed from New to Feedback
That's an endianness issue. The kernel converts several fields to network-endianness, and the (userspace) libpfctl lib failed to reverse that.
It's fixed in devel-12 in https://gitlab.netgate.com/pfSense/FreeBSD-src/-/commit/651256459f172c0048b4dcd088daf1238cbc52b0 (cherry-picked upstream main commit).
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Resolved
This has been solid since the fix made it into snapshots.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Actions