Bug #14478
closed
Ethernet rules using ``(self)`` as a source or destination make the ruleset fail to load
Added by Georgiy Tyutyunnik 11 months ago.
Updated 7 months ago.
Affected Plus Version:
23.05
Description
Specific Ethernet rule configuration produces rules loading error. Seems to be linked with "Destination IP" set as "OPT1 net" and "OPT2 net". Changing MACs and/or Ethernet protocols yields no results.
OPT1 OPT2 OPT3 configured as interface VLANs with 256-257-258 tags and 192.168.56-57-58.0/24 subnets.
Error:
There were error(s) loading the rules: /tmp/rules.debug:39: from must be an address or table - The line in question reads [39]: ether pass on { hn1.256 } proto 0x0800 from 00:00:00:00:00:00 to 00:00:00:00:00:00 l3 from (self) to 192.168.56.0/24 ridentifier 1686137553 label "id:1686137553" label "USER_ETH_RULE: 1"
@ 2023-06-13 16:03:01
Rule config attached
Tested on
Version 23.05-RELEASE (amd64)
built on Mon May 22 15:04:36 UTC 2023
FreeBSD 14.0-CURRENT
Files
- Target version set to 23.09
- Assignee set to Christian McDonald
Tracked this down. Fix in progress.
- Status changed from New to In Progress
The issue here is that pfctl is not correctly parsing the case where the L3 host spec is a dynamic host, that is (self) is interpreted as a dynamic host (one that is unknown during parse-time but resolve and re-resolved during runtime) and self is a static host, one that is known at parse-time and passed through the optimizer.
Additionally, there is no support (yet) in the kernel for dynamic L3 hosts for ethernet rules.
I am working on that now
- Priority changed from Low to Normal
- Status changed from In Progress to Pull Request Review
- Assignee changed from Christian McDonald to Marcos M
From what I can tell, (self) is the only "dynamic host" we use in pfSense, everything else is a "static host". Firewall aliases work as expected, e.g.:
table <d_VPN_Gateway> { 172.25.0.1 }
d_VPN_Gateway = "<d_VPN_Gateway>"
ether pass quick on { vmx0 } from 00:00:00:00:00:00 to 00:00:00:00:00:00 l3 from any to $d_VPN_Gateway ridentifier 1695761564 label "id:1695761564"
We can simply omit (self) now, and re-add it whenever it's supported.
https://gitlab.netgate.com/pfSense/factory/-/merge_requests/107
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
The fix for this was merged last week.
- Subject changed from Ethernet rules breaking firewall rules loading to Ethernet rules using ``(self)`` as a source or destination make the ruleset fail to load
tested on:
Version 23.09-BETA (amd64)
built on Fri Oct 13 6:00:00 UTC 2023
FreeBSD 14.0-CURRENT
this version has this issue fixed, ethernet rule is processed correctly
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by