Actions
Bug #13908
closed
Firewall rules are not reloaded when removing a VIP, outdated rules/entries remain active
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
23.05
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
Carp automatically generated rules generated after defining a CARP VIP don't get removed after removing the CARP VIP.
If you manually run the filter reload, the rules will get removed.
Steps to reproduce:
- Define a CARP VIP on the WAN interface
- Confirm that the rules have been created in the /tmp/reles.debug file.
# CARP rules block in log quick proto carp from (self) to any ridentifier 1000000201 pass quick proto carp ridentifier 1000000202 no state
- Remove the CARP VIP on the WAN interface defined in step 1.
- Check the /tmp/reles.debug file again, and the rules will still be present
Updated by Jim Pingle about 2 years ago
- Category changed from CARP to Virtual IP Addresses
- Target version set to 2.7.0
This likely applies to any VIP type, not just CARP. Though other types do not have special rules like CARP, they may still be present in other places (e.g. interface net macros)
Updated by Jim Pingle about 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset e90ba648cf5256dffbc9294bb6318c899db21f88.
Updated by Danilo Zrenjanin about 2 years ago
- Status changed from Feedback to Resolved
The patch fixes it.
Tested against:
23.01-RELEASE (amd64) built on Fri Feb 10 20:06:33 UTC 2023 FreeBSD 14.0-CURRENT
I am marking this ticket resolved.
Updated by Jim Pingle about 2 years ago
- Subject changed from CARP automatically generated rules don't get removed to Firewall rules are not reloaded when removing a VIP, outdated rules/entries remain active
Updating subject for release notes.
Actions