Project

General

Profile

Actions

Bug #13049

closed

Empty ``negate_networks`` table breaks policy routing rules

Added by Marcos M over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Viktor Gurov
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

When negate_networks is empty, is effectively behaves the same as any. In cases where the negate_networks table ends up empty, policy routing rules will not work due to the automatic NEGATE_ROUTE rule above it catching all traffic.

Examples of when this can happen are:
  • Using an OpenVPN client without specifying a tunnel network with an interface assigned for use in policy routing
  • A second WAN for use in policy routing

Using the second example as a test, this leads to the ruleset:

table <negate_networks>
[...]
pass  in  quick  on $LAN inet proto tcp  from any  to <negate_networks> ridentifier 10000001 flags S/SA keep state  label "id:1649718619"  label "gw:WAN2GW"  label "NEGATE_ROUTE: Negate policy routing for destination" 
pass  in  quick  on $LAN  $GWWAN2GW inet proto tcp  from any to any ridentifier 1649718619 flags S/SA keep state  label "id:1649718619"  label "gw:WAN2GW"  label "USER_RULE" 

With this, traffic ends up matching the NEGATE_ROUTE rule and is routed through WAN1GW rather than WAN2GW.
Tested on 22.01 and 22.05.a.20220410.0600.

Actions

Also available in: Atom PDF