Project

General

Profile

Actions

Bug #1697

closed

Interface group doesn't apply to all interfaces in all cases

Added by Chris Buechler over 12 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/20/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

I have an interface group "WANs" containing two WANs, em1 and em2. This is correct.

# ifconfig -g WANs
em1
em2

One rule on that interface group.

pass  in  quick  on $WANs  from   204.x.x.x to any keep state  label "USER_RULE: testing" 

Works fine on em2, but em1 still blocks all traffic from the specified source. Something not working there.

Jul 20 00:44:29 fw1 pf: 00:00:00.972925 rule 1/0(match): block in on em1: (tos 0x0, ttl 52, id 46106, offset 0, flags [none], proto ICMP (1), length 84)
Jul 20 00:44:29 fw1 pf:     204.x.x.x.x > 96.x.x.x.x: ICMP echo request, id 36356, seq 21, length 64
Actions #1

Updated by Chris Buechler over 12 years ago

  • Priority changed from Normal to High
  • Target version changed from 2.0 to 2.0.1
Actions #2

Updated by Chase Bolt over 12 years ago

This appears fixed. Pings flow through both interfaces in a group, matching on the correct rule.

Tested on 2.0-RELEASE Build Tue Sep 13 17:33:40 EDT 2011.

Actions #3

Updated by Chris Buechler over 12 years ago

  • Status changed from New to Feedback
  • Target version deleted (2.0.1)
Actions #4

Updated by Chase Bolt over 12 years ago

Ok, so our initial tests showed this issue was resolved. But when applying live traffic on the box, about 70% of the traffic hit this bug. We aren't clear on the circumstances that made the 70% traffic use the non-group rule set yet.

Hopefully more info on this to follow.

Actions #5

Updated by Chris Buechler almost 10 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF