Project

General

Profile

Bug #1950

"Bypass firewall rules for traffic on the same interface" doesn't work as intended

Added by Jim Pingle almost 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules/NAT
Target version:
Start date:
10/12/2011
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

The rules from "Bypass firewall rules for traffic on the same interface" go at the end of the ruleset, and thus are not actually bypassing anything unless there are no rules in the interface that match the traffic.

Seems to be compounded by the fact that somehow the negation for policy routing of static route networks isn't working either.

Associated revisions

Revision c066ea8a (diff)
Added by Seth Mos almost 8 years ago

Remove the old direct_networks table which is not used throughout the filter code. Instead we now create a negate_networks table which contains both vpns, directly connected networks (static routes) which should never be tagged for policy routing which breaks traffic.
This fixes Ticket #1950 and needs to be MFC to 2.0 for 2.0.1

Conflicts:

etc/inc/filter.inc

Revision cf37ec23 (diff)
Added by Seth Mos almost 8 years ago

Remove the old direct_networks table which is not used throughout the filter code. Instead we now create a negate_networks table which contains both vpns, directly connected networks (static routes) which should never be tagged for policy routing which breaks traffic.
This fixes Ticket #1950 and needs to be MFC to 2.0 for 2.0.1

History

#1 Updated by Seth Mos almost 8 years ago

  • Status changed from New to Feedback

The direct_networks table was never used but initially created for the purpose of negate policy based routing rules. This now extends to the static routes as well.

#2 Updated by Chris Buechler almost 8 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF