Bug #7372
closed
Cannot filter ICMP Type SKIP
Added by Marc 05 about 7 years ago.
Updated over 6 years ago.
Description
When adding a rule to filter ICMP traffic of type SKIP, the following error shows under Status / System Logs / System / General
/rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:207: syntax error - The line in question reads [207]: pass in quick on $LAN inet proto icmp from any to any icmp-type skip tracker 1489010972 keep state label "USER_RULE"
Tested on 2.3.2-RELEASE-p1, and 2.3.3.
No reason for me, just found the bug and reporting it.
I figured it was likely a parser issue when I was narrowing it down to SKIP - I initially tried the types with parentheses before getting to SKIP. I'd say the workaround is not really needed given that it's such a rarely used and insignificant feature. However, I would say that it may be worth improving the parser, since who knows what other issues could come up in the future due to un-escaped input.
Phillip Davis wrote:
SKIP (type 39) has been deprecated:
Is there a reason you (or anyone) need to particularly filter on that icmp-type?
Well, the only reason I can imagine is precisely that: you take the list of deprecated types and filter it, since it's not something that should be floating around. Someone take it to https://bugs.freebsd.org/bugzilla/ perhaps, though I can imagine the only fix will be renaming ICMP_SKIP
If you want to block all "dodgy" ICMP types, then you should probably block ICMP type numbers that do not have a defined name, as well as deprecated ones. Since there is no way to explicitly specify/select "undefined type codes", you would do this by 2 rules:
1) Pass ICMP types that you know are good/wanted
2) Block all others
So in that case you do not need explicit codes for the deprecated ICMP types.
But I suppose you might want to do something different for deprecated types (log them or not log them...) vs "undefined type codes".
In any case, pfSense could easily modify its own pfctl_parser.c to rename "skip" to something else unique, then use that something else when it turns the config value into the written pf rule.
An easier way to keep it would be to use the type number (39) instead of the name. The rule loads fine with 39 instead of skip
pass in quick on $WAN reply-to ( igb1 198.51.100.1 ) inet proto icmp from any to any icmp-type 39 tracker 1489080712 keep state label "USER_RULE"
: pfctl -sr | grep skip
pass in quick on igb1 reply-to (igb1 198.51.100.1) inet proto icmp all icmp-type skip keep state label "USER_RULE"
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
Also available in: Atom
PDF