Project

General

Profile

Bug #6985

NPt rules are causing a filter error on 2.4

Added by Jim Pingle 7 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
12/05/2016
Due date:
% Done:

100%

Affected version:
2.4
Affected Architecture:
All

Description

Network Prefix Translation rules that worked on 2.3.2 are causing a filter reload error on 2.4

Real addresses masked below.

GUI Config:
Firewall > NAT, NPt tab (/firewall_nat_npt.php)
  • Disabled: Unchecked
  • Interfaces: HENETV6
  • Internal Prefix NOT: Unchecked
  • Internal Prefix Address: 2001:db8:1:D000::/52
  • Destination Prefix NOT: Unchecked
  • Destination Prefix Address: 2001:xxxx:xxxx:D000::/52
  • Description: Test Net 2

Log message produced:

Dec 5 13:54:48     php-fpm     23620     /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:137: syntax error - The line in question reads [137]: binat on $HENETV6 from any to 2001:xxxx:xxxx:D000::/52 -> 2001:db8:1:D000::/52

Lines for this NPt entry in /tmp/rules.debug (lines 136-137):

binat on $HENETV6 from 2001:db8:1:D000::/52 to any -> 2001:xxxx:xxxx:D000::/52
binat on $HENETV6 from any to 2001:xxxx:xxxx:D000::/52 -> 2001:db8:1:D000::/52

I'll push a commit to comment out the second line to prevent the filter reload error momentarily so that it does not negatively impact others until a fix is determined. It may be that the second line is no longer needed, but testing is required to confirm that yet.

Associated revisions

Revision f34e9794
Added by Jim Pingle 7 months ago

Stopgap to keep filter reload errors from happening due to NPt rule errors. Ticket #6985

Revision 9c8ce38b
Added by Jim Pingle 7 months ago

Work around the NPt rule loading issue to load the rules as they were on previous versions. Fixes #6985

Revision 140f1f6f
Added by Luiz Otavio O Souza 7 months ago

Revert the workaround now that the pf parsing issue is fixed.

Ticket #6985

History

#1 Updated by Jim Pingle 7 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by Luiz Otavio O Souza 7 months ago

Fixed the parsing issue on pf (and reverted the workaround): https://github.com/pfsense/FreeBSD-src/commit/e4a708b0c1bb4ae70299820f97204a5b9b8fcd1e

Thanks for the debug info.

#3 Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved

Looks good on a current snapshot

Also available in: Atom PDF