Actions
Regression #12949
closed
The ruleset is not regenerated after assigning an interface
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.x
Affected Architecture:
All
Description
In some circumstances the ruleset is not reloaded or regenerated after re-assigning an interface.
For example after reassigning the WAN from igb0 to lagg0 in the webgui and saving that the WAN interface is correctly switched and brings up an IP as shown in ifconfig:
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WAN
options=e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
ether 00:90:7f:da:44:72
inet6 fe80::290:7fff:feda:4472%lagg0 prefixlen 64 scopeid 0x11
inet 172.21.16.183 netmask 0xffffff00 broadcast 172.21.16.255
laggproto lacp lagghash l2,l3,l4
laggport: ix0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: ix1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
groups: lagg
media: Ethernet autoselect
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
But the firewall is not usable because ruleset in place is still referencing igb0:
[2.6.0-RELEASE][root@m470-3.stevew.lan]/root: cat /tmp/rules.debug
set limit table-entries 400000
set optimization normal
set limit states 397000
set limit src-nodes 397000
#System aliases
loopback = "{ lo0 }"
WAN = "{ igb0 }"
LAN = "{ igb1 }"
That can also be seen in the running rulset:
[2.6.0-RELEASE][root@m470-3.stevew.lan]/root: pfctl -sr | grep igb0 scrub on igb0 inet all fragment reassemble scrub on igb0 inet6 all fragment reassemble pass in quick on igb0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" ridentifier 1000000561 pass out quick on igb0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" ridentifier 1000000562 pass in quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000563 pass in quick on igb0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000564 pass out quick on igb0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" ridentifier 1000000565 pass in quick on igb0 inet all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" ridentifier 1647298900 pass in quick on igb0 inet6 all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" ridentifier 1647298900 [2.6.0-RELEASE][root@m470-3.stevew.lan]/root: pfctl -sr | grep lagg0 [2.6.0-RELEASE][root@m470-3.stevew.lan]/root:
Tested using a DHCP WAN where both igb0 and lagg0 are pulling leases from the same server.
Tested in 2.6. It does not happen in 2.5.2.
Updated by 
Updated by 
Updated by Viktor Gurov 
Updated by
Actions