Bug #16756: Editing a Firewall Rule before Forcing pfBlockerNG Update Empties All Aliases - pfSense Packages - pfSense bugtracker

Actions

Copy link

Bug #16756

open

Editing a Firewall Rule before Forcing pfBlockerNG Update Empties All Aliases

Added by Kris Phillips 25 days ago. Updated 18 days ago.

Status:

In Progress

Priority:

Normal

Assignee:

Marcos M

Category:

pfBlockerNG

Target version:

pfSense - 2.9.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

26.03

Affected Version:

2.9.0

Affected Plus Version:

26.03

Affected Architecture:

Description

When editing a firewall rule and then forcing a pfBlockerNG Update command, all aliases will become empty until you run a force reload in pfBlockerNG.

Steps to reproduce:
1. Edit any firewall rule (doesn't need to be a pfBlockerNG rule)
2. Go to Firewall --> pfBlockerNG --> Update, select "Update" and run
3. Go to Firewall --> Rules and hover over any firewall rule with a pfBlockerNG alias. The alias will be empty.

To resolve, you must go to Firewall --> pfBlockerNG --> Update and run a "Reload" to fix the issue.

Files

Download all files

EmptyRulesAfterUpdate.png (78.2 KB) EmptyRulesAfterUpdate.png		Kris Phillips, 03/21/2026 08:31 PM
FixedRulesAfterForceReload.png (194 KB) FixedRulesAfterForceReload.png		Kris Phillips, 03/21/2026 08:31 PM

Actions

Copy link

Updated by Kris Phillips 25 days ago

File FixedRulesAfterForceReload.png FixedRulesAfterForceReload.png added
File EmptyRulesAfterUpdate.png EmptyRulesAfterUpdate.png added

Tested on pfBlockerNG 3.2.15_2. Going to Status --> Filter Reload and manually reloading there does not fix it.

Output of pfSsh.php playback pfanchordrill:

###################

translation rules ###################
nat-anchor "natearly/*" all {
}
nat-anchor "natrules/*" all {
}
rdr-anchor "tftp-proxy/*" all {
} ##############
filter rules ##############
anchor "openvpn/*" all {
}
anchor "ipsec/*" all {
}
anchor "userrules/*" all {
}
anchor "tftp-proxy/*" all {
}

Actions

Copy link

Updated by Kris Phillips 25 days ago

Something of note: I have Alias Deny set for my GeoIP rules. Not Deny, Match, or Permit.

Actions

Copy link

Updated by Steve Y 23 days ago

Forum thread: https://forum.netgate.com/topic/200372/pfblockerng_devel-on-25.11.1-instability/

Per your note, the routers on which I replicated it use Alias Native or Deny for GeoIP.

Disabling a rule is sufficient to trigger this.

Actions

Copy link

Updated by Marcos M 22 days ago

Status changed from New to In Progress
Assignee set to Marcos M

Actions

Copy link

Updated by Marcos M 22 days ago

The issue is triggered when the pfBlockerNG update/reload detects a change to aliases and/or rules and the resulting ruleset file is the same as before the pfBlockerNG update/reload process.

For example:

Set up LAN with a single allow-all rule (remove existing rules then create a new one).
Apply any changes.
Set the pfBlockerNG rule order to "Default format".
Set up pfBlockerNG with an IP list set to "Deny Outbound".
Run a forced pfBlockerNG update.

At this point things should be working correctly. Then:

Move the auto-created rule from the top to the bottom (don't apply changes).
Run a forced pfBlockerNG update.

At this point the pfBlockerNG alias referenced in the auto-created rule is empty. This happens because during the forced update pfBlockerNG sets the firewall config, kills all (pfB_*) pf tables with pfctl -t <table> -T kill, and then runs a filter reload. The firewall config has now essentially been rolled back to before the rule was manually moved in the above steps. Additionally since 1) changes were not previously applied (in step 1), and 2) the ruleset file doesn't contain the table contents itself, then the ruleset file remains unchanged and the pf ruleset reload is skipped. That ruleset reload is currently responsible for repopulating the killed pf tables.

The issue can be fixed by having pfBlockerNG kill its pf tables only if they are no longer referenced in a rule. This change would retain what seems to be the original intent of the code while also being more efficient (only the necessary tables are cleared and the ruleset is only reloaded when needed).

Potential fix: Show Hide

diff --git a/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/pkg/pfblockerng/pfblockerng.inc b/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/pkg/pfblockerng/pfblockerng.inc
index 482cd1f52057..78035231706a 100644
--- a/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/pkg/pfblockerng/pfblockerng.inc
+++ b/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/pkg/pfblockerng/pfblockerng.inc
@@ -10050,8 +10050,12 @@ function sync_package_pfblockerng($cron='') {
     #    Assign Rules    #
     #########################

+    // Any pfB alias not in this list will be killed.
+    $pfb_active_aliases = null;
+
     // Only execute if autorules are defined or if an alias has been removed.
     if ($pfb['autorules'] || $pfb['enable'] == '' || $pfb['remove']) {
+        $pfb_active_aliases = [];
         $message = '';
         if (!empty($pfb['deny_inbound']) || !empty($pfb['permit_inbound']) || !empty($pfb['match_inbound'])) {
             if (empty($pfb['inbound_interfaces'])) {
@@ -10136,6 +10140,14 @@ function sync_package_pfblockerng($cron='') {
                         }
                     }

+                    // Track pfB aliases referenced by rules.
+                    foreach (array('source', 'destination') as $rtype) {
+                        if ((substr($rule[$rtype]['address'], 0, 4) == 'pfB_') &&
+                            !in_array($rule[$rtype]['address'], $pfb_active_aliases)) {
+                            $pfb_active_aliases[] = $rule[$rtype]['address'];
+                        }
+                    }
+
                     // Remove 'created' tag
                     if (isset($rule['created'])) {
                         unset($rule['created']);
@@ -10385,12 +10397,31 @@ function sync_package_pfblockerng($cron='') {
             pfb_logger("{$log}\n", 1);
         }

-        // Remove all pfB aliastables
         exec("{$pfb['pfctl']} -s Tables | {$pfb['grep']} '^pfB_'", $pfb_tables);
         if (isset($pfb_tables)) {
+            $final_alias = array();
+            $pfb_active_aliases = isset($pfb_active_aliases) ? array_unique($pfb_active_aliases) : [];
+            if ($pfb['repcheck'] && ($pfb['drep'] == 'on' || $pfb['prep'] == 'on')) {
+                if (!empty($pfb_alias_lists_all)) {
+                    $final_alias = array_intersect(array_unique($pfb_alias_lists_all), $pfb_active_aliases);
+                }
+            } else {
+                if (!empty($pfb_alias_lists)) {
+                    $final_alias = array_intersect(array_unique($pfb_alias_lists), $pfb_active_aliases);
+                }
+            }
             foreach ($pfb_tables as $pfb_table) {
                 $pfb_table_esc = escapeshellarg($pfb_table);
-                exec("{$pfb['pfctl']} -t {$pfb_table_esc} -T kill 2>&1", $result);
+                $pfb_table_path_esc    = escapeshellarg("{$pfb['aliasdir']}/{$pfb_table}.txt");
+                if (in_array($pfb_table, $pfb_active_aliases)) {
+                    if (in_array($pfb_table, $final_alias)) {
+                        // Replace active pfB aliastables which have been updated
+                        exec("{$pfb['pfctl']} -t {$pfb_table_esc} -T replace -f {$pfb_table_path_esc} 2>&1", $result);
+                    }
+                } else {
+                    // Remove inactive pfB aliastables
+                    exec("{$pfb['pfctl']} -t {$pfb_table_esc} -T kill 2>&1", $result);
+                }
             }
         }

Actions

Copy link