Project

General

Profile

Bug #6985

NPt rules are causing a filter error on 2.4

Added by Jim Pingle 12 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
12/05/2016
Due date:
% Done:

100%

Affected Version:
2.4
Affected Architecture:
All

Description

Network Prefix Translation rules that worked on 2.3.2 are causing a filter reload error on 2.4

Real addresses masked below.

GUI Config:
Firewall > NAT, NPt tab (/firewall_nat_npt.php)
  • Disabled: Unchecked
  • Interfaces: HENETV6
  • Internal Prefix NOT: Unchecked
  • Internal Prefix Address: 2001:db8:1:D000::/52
  • Destination Prefix NOT: Unchecked
  • Destination Prefix Address: 2001:xxxx:xxxx:D000::/52
  • Description: Test Net 2

Log message produced:

Dec 5 13:54:48     php-fpm     23620     /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:137: syntax error - The line in question reads [137]: binat on $HENETV6 from any to 2001:xxxx:xxxx:D000::/52 -> 2001:db8:1:D000::/52

Lines for this NPt entry in /tmp/rules.debug (lines 136-137):

binat on $HENETV6 from 2001:db8:1:D000::/52 to any -> 2001:xxxx:xxxx:D000::/52
binat on $HENETV6 from any to 2001:xxxx:xxxx:D000::/52 -> 2001:db8:1:D000::/52

I'll push a commit to comment out the second line to prevent the filter reload error momentarily so that it does not negatively impact others until a fix is determined. It may be that the second line is no longer needed, but testing is required to confirm that yet.

Associated revisions

Revision f34e9794
Added by Jim Pingle 12 months ago

Stopgap to keep filter reload errors from happening due to NPt rule errors. Ticket #6985

Revision 9c8ce38b
Added by Jim Pingle 12 months ago

Work around the NPt rule loading issue to load the rules as they were on previous versions. Fixes #6985

Revision 140f1f6f
Added by Luiz Souza 11 months ago

Revert the workaround now that the pf parsing issue is fixed.

Ticket #6985

History

#1 Updated by Jim Pingle 12 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by Luiz Souza 11 months ago

Fixed the parsing issue on pf (and reverted the workaround): https://github.com/pfsense/FreeBSD-src/commit/e4a708b0c1bb4ae70299820f97204a5b9b8fcd1e

Thanks for the debug info.

#3 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Looks good on a current snapshot

Also available in: Atom PDF