Project

General

Profile

Actions

Regression #12949

closed

The ruleset is not regenerated after assigning an interface

Added by Steve Wheeler about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Interfaces
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.x
Affected Architecture:
All

Description

In some circumstances the ruleset is not reloaded or regenerated after re-assigning an interface.

For example after reassigning the WAN from igb0 to lagg0 in the webgui and saving that the WAN interface is correctly switched and brings up an IP as shown in ifconfig:

lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN
        options=e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:90:7f:da:44:72
        inet6 fe80::290:7fff:feda:4472%lagg0 prefixlen 64 scopeid 0x11
        inet 172.21.16.183 netmask 0xffffff00 broadcast 172.21.16.255
        laggproto lacp lagghash l2,l3,l4
        laggport: ix0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        laggport: ix1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        groups: lagg
        media: Ethernet autoselect
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

But the firewall is not usable because ruleset in place is still referencing igb0:

[2.6.0-RELEASE][root@m470-3.stevew.lan]/root: cat /tmp/rules.debug
set limit table-entries 400000
set optimization normal
set limit states 397000
set limit src-nodes 397000

#System aliases

loopback = "{ lo0 }" 
WAN = "{ igb0 }" 
LAN = "{ igb1 }" 

That can also be seen in the running rulset:

[2.6.0-RELEASE][root@m470-3.stevew.lan]/root: pfctl -sr | grep igb0
scrub on igb0 inet all fragment reassemble
scrub on igb0 inet6 all fragment reassemble
pass in quick on igb0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" ridentifier 1000000561
pass out quick on igb0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" ridentifier 1000000562
pass in quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000563
pass in quick on igb0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000564
pass out quick on igb0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" ridentifier 1000000565
pass in quick on igb0 inet all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" ridentifier 1647298900
pass in quick on igb0 inet6 all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" ridentifier 1647298900
[2.6.0-RELEASE][root@m470-3.stevew.lan]/root: pfctl -sr | grep lagg0
[2.6.0-RELEASE][root@m470-3.stevew.lan]/root: 

Tested using a DHCP WAN where both igb0 and lagg0 are pulling leases from the same server.

Tested in 2.6. It does not happen in 2.5.2.

Actions

Also available in: Atom PDF