Project

General

Profile

Actions

Bug #12588

closed

Automatic rule tracker IDs incorrect after multiple filter reloads

Added by Steve Wheeler over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
All

Description

In some circumstances the generated ruleset is created with unexpected tracker ID values at boot.

The values seen vary by install but are consistent across a reboot. For example:

#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all ridentifier 1000104531 label "Default deny rule IPv4" 
block out log inet all ridentifier 1000104532 label "Default deny rule IPv4" 
block in log inet6 all ridentifier 1000104533 label "Default deny rule IPv6" 
block out log inet6 all ridentifier 1000104534 label "Default deny rule IPv6" 

After a filter reload the ruleset uses expected values:

#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all ridentifier 1000000101 label "Default deny rule IPv4" 
block out log inet all ridentifier 1000000102 label "Default deny rule IPv4" 
block in log inet6 all ridentifier 1000000103 label "Default deny rule IPv6" 
block out log inet6 all ridentifier 1000000104 label "Default deny rule IPv6" 

This can result in firewall log entries mislabelled or labelled unexpectedly.

Tested:

2.6.0-DEVELOPMENT (amd64)
built on Mon Dec 13 20:27:39 UTC 2021
FreeBSD 12.3-STABLE

I have replicated this in 22.01 and 2.5.2/21.05.2 as well as older versions.

Actions

Also available in: Atom PDF