Actions
Bug #13934
closedKilling states by gateway can miss some IPv6 outbound states
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
Due to the default outbound rules, IPv6 outbound states are created with gateway: ::
which prevents the states from being deleted when using the feature introduced in #12092.
@159 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" ridentifier 1000015166 @683 pass in quick on vmx0.5 route-to (vmx0.99 fe80::2a2:89ff:fed1:9868) inet6 proto tcp from 2001:db8:f3:5::/64 to ! <a_Local6:13> flags S/SA keep state label "USER_RULE: internet" label "id:1653875587" label "gw:WAN_GWV6" ridentifier 1653875587 all tcp 2602:801:f006:100::a2fe:c30d[80] <- 2001:db8:f3:5:5:2283:b71e:b7ee[53152] ESTABLISHED:ESTABLISHED [1599067630 + 132096] wscale 8 [3558338110 + 10878976] wscale 8 age 00:01:28, expires in 23:59:36, 687:763 pkts, 56912:1126469 bytes, rule 683 id: 64f1376400000000 creatorid: 4da82510 gateway: 2001:db8:76:4::1 origif: vmx0.5 all tcp 2001:db8:f3:5:5:2283:b71e:b7ee[53152] -> 2602:801:f006:100::a2fe:c30d[80] ESTABLISHED:ESTABLISHED [3558338110 + 10878976] wscale 8 [1599067630 + 132096] wscale 8 age 00:01:28, expires in 23:59:36, 687:763 pkts, 56912:1126469 bytes, rule 159 id: 65f1376400000000 creatorid: 4da82510 gateway: :: origif: gif0
Current default rules are as follows:
pass out inet all keep state allow-opts ridentifier 1000016215 label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts ridentifier 1000016216 label "let out anything IPv6 from firewall host itself" pass out route-to ( vmx0.99 198.51.100.1 ) from 198.51.100.5 to !198.51.100.0/24 ridentifier 1000016311 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( vmx0.99 198.51.100.1 ) from 10.66.55.1 to !10.66.55.0/24 ridentifier 1000016312 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( vmx0.99 fe80::2a2:89ff:fed1:9868%vmx0.99 ) inet6 from 2001:db8:43:0:8928:9ecf:b0d:8b3a to !2001:db8:43:0:8928:9ecf:b0d:8b3a/64 ridentifier 1000016313 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( gif0 2001:db8:76:4::1 ) inet6 from 2001:db8:76:4::2 to !2001:db8:76:4::2/64 ridentifier 1000016314 keep state allow-opts label "let out anything from firewall host itself"The following change is proposed:
- Create two additional
route-to
rules per WAN interface - one for IPv4 and one for IPv6 (VIPs should not affect this). - Change the current
route-to
rules to instead remove theroute-to
tag which overrides the new additional rules for relevant traffic.
This would result in:
# default outbound rules pass out inet all keep state allow-opts ridentifier 1000016215 label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts ridentifier 1000016216 label "let out anything IPv6 from firewall host itself" # new additional route-to rules pass out on vmx0.99 route-to ( vmx0.99 198.51.100.1 ) inet ridentifier 1000016308 keep state allow-opts label "let out anything from firewall host itself" pass out on vmx0.99 route-to ( vmx0.99 fe80::2a2:89ff:fed1:9868%vmx0.99 ) inet6 ridentifier 1000016309 keep state allow-opts label "let out anything from firewall host itself" pass out on gif0 route-to ( gif0 2001:db8:76:4::1 ) inet6 ridentifier 1000016310 keep state allow-opts label "let out anything from firewall host itself" # previous route-to rules changed by removing the route-to keyword and removing the "!" operator pass out from 198.51.100.5 to 198.51.100.0/24 ridentifier 1000016311 keep state allow-opts label "let out anything from firewall host itself" pass out from 10.66.55.1 to 10.66.55.0/24 ridentifier 1000016312 keep state allow-opts label "let out anything from firewall host itself" pass out inet6 from 2001:db8:43:0:8928:9ecf:b0d:8b3a to 2001:db8:43:0:8928:9ecf:b0d:8b3a/64 ridentifier 1000016313 keep state allow-opts label "let out anything from firewall host itself" pass out inet6 from 2001:db8:76:4::2 to 2001:db8:76:4::2/64 ridentifier 1000016314 keep state allow-opts label "let out anything from firewall host itself"
This preserves the behavior of not applying route-to
tags for traffic from the firewall itself, hence dpinger
states will continue to have a default gateway and be ignored by the kill states feature.
Related issues
Updated by Marcos M almost 2 years ago
- Related to Feature #12092: Utilize new ``pfctl`` abilities to kill states added
Updated by Marcos M 11 months ago
- Subject changed from Killing states by gateway does not match all outbound traffic to Killing states by gateway can miss some IPv6 outbound states
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
- Target version set to 2.8.0
- Plus Target Version set to 24.03
Updated by Marcos M 11 months ago
- Status changed from Pull Request Review to Closed
This will need to be handled with custom floating rules. With the proposed change, the route-to rules for secondary WANs would not match due to the state being created for the current default WAN interface instead (details on #12630).
Updated by Jim Pingle 11 months ago
- Category changed from Rules / NAT to Gateways
- Target version deleted (
2.8.0) - Plus Target Version deleted (
24.03)
Actions