Bug #14478
closed
Ethernet rules using ``(self)`` as a source or destination make the ruleset fail to load
100%
Description
Specific Ethernet rule configuration produces rules loading error. Seems to be linked with "Destination IP" set as "OPT1 net" and "OPT2 net". Changing MACs and/or Ethernet protocols yields no results.
OPT1 OPT2 OPT3 configured as interface VLANs with 256-257-258 tags and 192.168.56-57-58.0/24 subnets.
Error:
There were error(s) loading the rules: /tmp/rules.debug:39: from must be an address or table - The line in question reads [39]: ether pass on { hn1.256 } proto 0x0800 from 00:00:00:00:00:00 to 00:00:00:00:00:00 l3 from (self) to 192.168.56.0/24 ridentifier 1686137553 label "id:1686137553" label "USER_ETH_RULE: 1"
@ 2023-06-13 16:03:01
Rule config attached
Tested on
Version 23.05-RELEASE (amd64)
built on Mon May 22 15:04:36 UTC 2023
FreeBSD 14.0-CURRENT
Files
Updated by Christian McDonald 11 months ago
- Assignee set to Christian McDonald
Tracked this down. Fix in progress.
Updated by Christian McDonald 11 months ago
- Status changed from New to In Progress
Updated by Christian McDonald 11 months ago
The issue here is that pfctl is not correctly parsing the case where the L3 host spec is a dynamic host, that is (self) is interpreted as a dynamic host (one that is unknown during parse-time but resolve and re-resolved during runtime) and self is a static host, one that is known at parse-time and passed through the optimizer.
Additionally, there is no support (yet) in the kernel for dynamic L3 hosts for ethernet rules.
I am working on that now
Updated by Marcos M 7 months ago
- Status changed from In Progress to Pull Request Review
- Assignee changed from Christian McDonald to Marcos M
From what I can tell, (self) is the only "dynamic host" we use in pfSense, everything else is a "static host". Firewall aliases work as expected, e.g.:
table <d_VPN_Gateway> { 172.25.0.1 }
d_VPN_Gateway = "<d_VPN_Gateway>"
ether pass quick on { vmx0 } from 00:00:00:00:00:00 to 00:00:00:00:00:00 l3 from any to $d_VPN_Gateway ridentifier 1695761564 label "id:1695761564"
We can simply omit (self) now, and re-add it whenever it's supported.
https://gitlab.netgate.com/pfSense/factory/-/merge_requests/107
Updated by Jim Pingle 7 months ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
The fix for this was merged last week.
Updated by Jim Pingle 7 months ago
- Subject changed from Ethernet rules breaking firewall rules loading to Ethernet rules using ``(self)`` as a source or destination make the ruleset fail to load
Updated by Georgiy Tyutyunnik 7 months ago
tested on:
Version 23.09-BETA (amd64)
built on Fri Oct 13 6:00:00 UTC 2023
FreeBSD 14.0-CURRENT
this version has this issue fixed, ethernet rule is processed correctly