Bug #14007
closed
Using PF reserved keywords for interface descriptions results in an invalid ruleset
100%
Description
Interface descriptions are used to generate system aliases placed in /tmp/rules.debug. Interface descriptions are checked against the reserved aliases list leading to firewall rules failing to be generated.
Example:user = "{ lagg0.66 }"
<opt9>
<descr><![CDATA[user]]></descr>
<if>lagg0.66</if>
<enable></enable>
<ipaddr>10.60.6.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt9>
There were error(s) loading the rules: /tmp/rules.debug:19: syntax error - The line in question reads [19]: user = "{ lagg0.66 }"
Reserved list: https://github.com/pfsense/pfsense/blob/master/src/etc/inc/globals.inc#L223
Updated by
Updated by Jim Pingle about 1 year ago
- Subject changed from Using reserved alias names for interface descriptions causes filter reloads to fail to Using PF reserved keywords for interface descriptions results in an invalid ruleset
- Target version set to 2.7.0
- Plus Target Version set to 23.05
Updated by Jim Pingle about 1 year ago
- Status changed from New to In Progress
The fix for #14057 likely also solved this as a byproduct but we should still reject these names just in case.
I can't reproduce the problem on a current snap because the ruleset gets the name in uppercase now, so it's:
USER = "{ vtnet2 }"
Since it's uppercase it doesn't directly match the reserved keyword.
Still better to be safe, some other future intentional change could break it again one way or another.
Updated by Jim Pingle about 1 year ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 7ce12dcb36c73d6526dd46ef6b790d189be25a40.
Updated by Georgiy Tyutyunnik about 1 year ago
patch fixes the issue, prohibiting the reserved pf keywords from being configured as interface names
Tested on:
Version 23.01-RELEASE (amd64)
built on Fri Feb 10 20:06:33 UTC 2023
FreeBSD 14.0-CURRENT