Project

General

Profile

Actions

Regression #12287

closed

State table entry rule ID does not contain the expected value

Added by Jim Pingle 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Very High
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Force Exclusion
Affected Version:
2.6.0
Affected Architecture:

Description

On snapshots the rule number in the state table data does not contain the expected value

all tcp 198.51.100.104:443 <- 198.51.100.142:43958       FIN_WAIT_2:FIN_WAIT_2
   [2501411308 + 2147156224] wscale 7  [2163627184 + 4278255872] wscale 7
   age 750314:22:56, expires in 00:00:00, 36:45 pkts, 4179:19880 bytes, rule 1744830464
   id: 1caa1f6100000002 creatorid: be86b95f gateway: 198.51.100.1
   origif: vtnet0
: pfctl -vvsr | egrep 1744830464
:

It should show the rule number from this entry:

\@104(1617118076) pass in quick on vtnet0 reply-to (vtnet0 198.51.100.1) inet from <RemoteAdmin:0> to (self:1) flags S/SA keep state label "USER_RULE: Allow Remote Admin to this firewall (permissive)" 

It behaves as expected on the current release, but is broken on snapshots.

Actions #1

Updated by Jim Pingle 2 months ago

  • Release Notes changed from Default to Force Exclusion
  • Affected Version set to 2.6.0
Actions #2

Updated by Kristof Provost 2 months ago

  • Status changed from New to Feedback

That's an endianness issue. The kernel converts several fields to network-endianness, and the (userspace) libpfctl lib failed to reverse that.
It's fixed in devel-12 in https://gitlab.netgate.com/pfSense/FreeBSD-src/-/commit/651256459f172c0048b4dcd088daf1238cbc52b0 (cherry-picked upstream main commit).

Actions #3

Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

This has been solid since the fix made it into snapshots.

Actions

Also available in: Atom PDF