Bug #7173
closed
[2.3.3+] Interface groups with a '-' (dash) in name are not handled correctly, breaking firewall rules
100%
Description
To reproduce:
- Create an interface group named like prefix-test
- Try to add some firewall rule there and save.
Alternative way to reproduce:
- Install tinc package
- Try to use the pkg-tinc interface in firewall rules
Result:
There were error(s) loading the rules: /tmp/rules.debug:149: macro 'prefix' not defined - The line in question reads [149]: pass in quick on $prefix-test inet from any to any tracker 1485799084 keep state label "USER_RULE" @ 2017-01-30 17:58:07
Affected versions: RELENG_2_3 and master (no proper choice for 2.3.3 in Redmine).
Related forum thread (only linking the only useful post directly): https://forum.pfsense.org/index.php?topic=124622.msg689044#msg689044
(And while there, the GUI should NOT let users delete an interface group with a reserved pkg- prefix in name while the package that created it is still installed.)
@rbgarga - these were your commits IIRC. https://github.com/pfsense/FreeBSD-ports/pull/149
Updated by Phillip Davis almost 8 years ago
PR https://github.com/pfsense/pfsense/pull/3452
The char set allowed should be the same as for Interfaces and Aliases.
Updated by Phillip Davis almost 8 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset b835c2dd77a09ea46b5d6abd8d2271332bf52367.
Updated by Kill Bill almost 8 years ago
To get this really fixed, it's needed to
1/ revert a bunch of other commits that allowed that stuff specifically for use with packages (the pkg- prefix).
2/ do something about the tinc package
How about pkg_ instead of pkg-? https://github.com/pfsense/FreeBSD-ports/pull/275
(Plus, can file a separate bug about the last remaining issue, i.e. that users shouldn't be allowed to mess with package-created interface groups, but that depends on 2/ above).
Updated by Phillip Davis almost 8 years ago
PR https://github.com/pfsense/pfsense/pull/3458
To fix validation of Interface, Interface Group and Alias names.
Updated by Phillip Davis almost 8 years ago
What other packages use the "pkg_" prefix to generate names in this namespace?
Updated by Kill Bill almost 8 years ago
Heh, none that I'd know of ATM except tinc, but it simply needs to be something, so that some checking can be done for these cases (don't let use otherwise, don't let rename/delete while pkg is still installed, ...)
Updated by Phillip Davis almost 8 years ago
I guess the package should be responsible for deleting the Interface Group as it uninstalls itself.
So the Interface Groups display and edit pages can always prevent delete/edit of "pkg_*" Interface Groups. From core code there will be no need to try to work out which package made the Interface Group and if that package is installed or not.
True?
Updated by Kill Bill almost 8 years ago
Yeah, I think it should behave like the IPsec/OpenVPN ones, they don't let you mess with those either. :) (Well, except that they are not listed as a group at all...)
Updated by Jim Pingle almost 8 years ago
- Category set to Interfaces
- Target version changed from 2.4.0 to 2.3.3
Updated by