Regression #12937
closed
Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server
100%
Description
After running the traffic shaper wizard and defining an Upstream SIP server IP address under the VOIP specific settings, inappropriate floating rules will be created. Which will prevent the firewall filter from reloading.
It fails with the following log:
There were error(s) loading the rules: /tmp/rules.debug:146: rule expands to no valid combination - The line in question reads [146]: match inet6 proto udp from 192.168.33.20 to any ridentifier 1646990408 queue (qVoIP) label "USER_RULE: Connections From Upstream SIP Server"
It looks like the Wizard defines rules using IPv4+IPv6 Address Family, which can be used only with aliases.
Related issues
Updated by Jim Pingle over 2 years ago
- Plus Target Version changed from 21.02 to 22.05
Updated by Viktor Gurov over 2 years ago
- Tracker changed from Bug to Regression
- Assignee set to Viktor Gurov
Updated by Viktor Gurov over 2 years ago
- Related to Feature #4769: IPv6 support in the Traffic Shaper Wizard added
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback
Updated by Jim Pingle over 2 years ago
- Subject changed from Traffic Shaper basic Wizard rules to Traffic Shaper wizard can produce an invalid ruleset when configured with an IPv4 upstream SIP server
Updating subject for release notes.
Updated by Viktor Gurov over 2 years ago
- % Done changed from 0 to 100
Applied in changeset 030fab3edaee1c2f10ea8695a041864810d94390.
Updated by Marcos M over 2 years ago
Tested on 22.05.a.20220410.0600.
There are still places where it fails:
There were error(s) loading the rules: /tmp/rules.debug:230: rule expands to no valid combination - The line in question reads [230]: match inet6 proto udp from any to 10.0.5.200 ridentifier 1649625457 queue (qVoIP) label "id:1649625457" label "USER_RULE: Connections To Upstream SIP Server"
Additionally:There were error(s) loading the rules: /tmp/rules.debug:227: rule expands to no valid combination - The line in question reads [227]: match on { vmx1 vmx3.521 } inet6 from 10.0.5.200 to any ridentifier 1649625679 queue (qOthersLow) label "id:1649625679" label "USER_RULE: Penalty Box"
- Using the
Penalty Boxoption results in a floating rule using the queueqOthersLowwhich does not exist. - Floating rules without a specific interface should be created with the
Anyinterface selected instead.
Updated by Viktor Gurov over 2 years ago
Marcos Mendoza wrote in #note-8:
Additionally:
- Using the
Penalty Boxoption results in a floating rule using the queueqOthersLowwhich does not exist.- Floating rules without a specific interface should be created with the
Anyinterface selected instead.
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/708
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback
Updated by Marcos M over 2 years ago
Everything works except for:
Floating rules without a specific interface should be created with the Any interface selected instead.
For reference, the option that created the empty interface list is the VOIP rules one.
Updated by Viktor Gurov over 2 years ago
- Status changed from Feedback to New
Marcos Mendoza wrote in #note-13:
Everything works except for:
Floating rules without a specific interface should be created with the Any interface selected instead.
For reference, the option that created the empty interface list is the VOIP rules one.
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/723
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback
Updated by → luckman212 over 2 years ago
Is this at all related to https://redmine.pfsense.org/issues/13026 ? I am eager to have limiters working again on 22.05 snaps, sorry to be a PITA.
Updated by Marcos M over 2 years ago
- Status changed from Feedback to New
The VOIP rules were created with the Any interface. However, this error is back now:
There were error(s) loading the rules: /tmp/rules.debug:221: rule expands to no valid combination - The line in question reads [221]: match on { vmx1 vmx3.521 } inet6 from 172.19.1.10 to any ridentifier 1650416745 queue (qDefault) label "id:1650416745" label "USER_RULE: Penalty Box"
@ 2022-04-19 20:05:47
and with with "Others" option enabled:
There were error(s) loading the rules: /tmp/rules.debug:229: rule expands to no valid combination - The line in question reads [229]: match on { vmx1 vmx3.521 } inet6 from 172.19.1.10 to any ridentifier 1650417190 queue (qOthersLow) label "id:1650417190" label "USER_RULE: Penalty Box"
@ 2022-04-19 20:13:12
Updated by Viktor Gurov over 2 years ago
Marcos Mendoza wrote in #note-18:
The VOIP rules were created with the
Anyinterface. However, this error is back now:There were error(s) loading the rules: /tmp/rules.debug:221: rule expands to no valid combination - The line in question reads [221]: match on { vmx1 vmx3.521 } inet6 from 172.19.1.10 to any ridentifier 1650416745 queue (qDefault) label "id:1650416745" label "USER_RULE: Penalty Box"
@ 2022-04-19 20:05:47
and with with "Others" option enabled:
There were error(s) loading the rules: /tmp/rules.debug:229: rule expands to no valid combination - The line in question reads [229]: match on { vmx1 vmx3.521 } inet6 from 172.19.1.10 to any ridentifier 1650417190 queue (qOthersLow) label "id:1650417190" label "USER_RULE: Penalty Box"
@ 2022-04-19 20:13:12
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/728
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback