Project

General

Profile

Bug #8318

PFBlockerNG removes alias file when using advanced inverted rule

Added by Sander Peterse about 1 year ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
02/06/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.2
Affected Architecture:
All

Description

I'm running 2 PFSense boxes in HA setup. Version 2.4.2-RELEASE-p1 (amd64) with PFBlockerNG version 2.1.2_2 . The master host is configured to sync it's PFBlockerNG config to the backup host using the 'Sync to configured system backup server' option. I'm using 2 custom lists and 1 GEO IP continent rule. This GEO IP rule (for Europe) has an inverted sources.

There is a part in the code (/usr/local/pkg/pfblockerng/pfblockerng.inc) that forces these advanced rules to native rules:
[[...
if ($pfbarr['aaddrnot_in'] 'on' || $pfbarr['aaddrnot_out'] 'on') {
$pfbarr['adv'] = FALSE;
$pfbarr['folder'] = "{$pfb['nativedir']}";
}
...]]

This causes the 'cleanup' code to think it has to remove the list as it logs '[ Removing List(s) : pfB_Europe_v4 ]' on both hosts. But it's still needed by GEO IP rule with the inverted source!

It also removes the alias file /var/db/aliastables/pfB_Europe_v4.txt as the list 'pfB_Europe_v4' is already removed, that's done by this part of the code:

...
}
else {
    // unlink Continent list
    unlink_if_exists("{$pfb['aliasdir']}/{$ccfile}.txt");
...

This results in these kind of errors on the backup node (not on the master host):
There were error(s) loading the rules: /tmp/rules.debug:208: macro 'pfB_Europe_v4' not defined

I think should not remove the list (pfB_Europe_v4) in the first place. So I created a patch (see attachment) for it which resolves my issue. It has been applied to both my hosts.

Disclaimer: I'm not using any other GEO IP rules. So I was not able to fully test the changes to see if it might affect other things.

pfblocker_inc_patch.diff (1.25 KB) pfblocker_inc_patch.diff Sander Peterse, 02/06/2018 06:52 AM

History

#1 Updated by BBcan177 . 10 months ago

This should be fixed in the pfBlockerNG-devel version.

#2 Updated by BBcan177 . 8 months ago

Please report back if this issue can be closed. Thanks!

Also available in: Atom PDF