Project

General

Profile

Actions
Copy link

Todo #13052

closed

Consolidate vpn_networks and negate_networks tables

Added by Marcos M about 2 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

It seems currently that both vpn_networks and negate_networks end up with the same content.

table <vpn_networks> { 172.25.3.0/24  172.17.105.0/24  172.25.1.0/24 }
table <negate_networks> { 172.25.3.0/24  172.17.105.0/24  172.25.1.0/24 }

If that is indeed the case, they can be consolidated to a single table. Consideration should be given to the different options used, such as Disable Negate rules in the System / Advanced / Firewall & NAT page.

Side note: When deleting an OpenVPN Server, a filter reload is not triggered and hence the negate_networks table is not updated accordingly until the next filter reload.

Related issues

Related to Todo #13058: Add static routes and directly connected networks back to policy route negation rulesNew

Actions
Actions
Copy link
 #1

Updated by Viktor Gurov about 2 years ago

  • Assignee set to Viktor Gurov
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/713

Marcos Mendoza wrote:

Side note: When deleting an OpenVPN Server, a filter reload is not triggered and hence the negate_networks table is not updated accordingly until the next filter reload.

created a new issue: #13055

Actions
Copy link
 #2

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Rejected
  • Assignee deleted (Viktor Gurov)
  • Target version deleted (2.7.0)
  • Plus Target Version deleted (22.05)

It may have changed over time but negate_networks used to include VPNs, static routes, and directly connected networks. I think that was adjusted at various points over the years as people felt it was passing more than users wanted, though. See #12535 for part of that. At some point after the direct network parts were removed, the logic on the rules was fixed so they wouldn't pass more than intended but the content was never put back the way it was.

The best course of action here is not to combine it but to bring back the original intent of the behavior. It should go back to including static route and directly connected networks. Since the code only triggers on a destination of 'any' it should be safe these days.

Actions
Copy link
 #3

Updated by Jim Pingle about 2 years ago

  • Related to Todo #13058: Add static routes and directly connected networks back to policy route negation rules added
Actions
Copy link

Also available in: Atom PDF