pfSense

Starting at pfSense Plus 25.11 our team noticed a bug occurring on x86 hardware such as the Netgate 4200/6100.
I've tested on Netgate 2100 (aarch64) and Netgate 3100 (armv7) and the issue does not occur there.

The bug gets triggered when two same or similar match rules (attaching a tag) under two distinct anchors (depth 1 and 2 tested) match a packet. In this scenario any remaining rules that would match such packet by tag get ignored and a default rule applies.

Basic Reproduction in pf¶

block in inet all

anchor "first" {
  match from <ip_address_or_table> to <ip_address_or_table> tag "allow" 
}

anchor "second" {
  match from <ip_address_or_table> to <ip_address_or_table> tag "allow" 
}

pass in quick on <interface> inet from any to any tagged "allow" keep state

Meanwhile this works:

block in inet all

anchor "firstandonly" {
  match from <ip_address_or_table> to <ip_address_or_table> tag "allow" 
}

pass in quick on <interface> inet from any to any tagged "allow" keep state

Steps to Reproduce on pfSense¶

1. Delete all firewall rules on the LAN interface, and create a single allow any rule that allows traffic tagged with example_tag.
2. Run the attached script matching-anchor-bug.sh on the pfSense appliance. It creates the test match rules under the userrules/* anchor.
3. From an endpoint on the LAN, try to ping 208.123.73.78.
4. Notice in /var/log/filter.log that the match rules get hit, but the pass rule you created in the LAN interface does not.
5. Now re-run the script as follows: ./matching-anchor-bug.sh single-anchor
6. Notice how the ping immediately starts to be passed as it's now hitting your pass rule.