Bug #8318
closed
PFBlockerNG removes alias file when using advanced inverted rule
0%
Description
I'm running 2 PFSense boxes in HA setup. Version 2.4.2-RELEASE-p1 (amd64) with PFBlockerNG version 2.1.2_2 . The master host is configured to sync it's PFBlockerNG config to the backup host using the 'Sync to configured system backup server' option. I'm using 2 custom lists and 1 GEO IP continent rule. This GEO IP rule (for Europe) has an inverted sources.
There is a part in the code (/usr/local/pkg/pfblockerng/pfblockerng.inc) that forces these advanced rules to native rules:
[[...
if ($pfbarr['aaddrnot_in'] 'on' || $pfbarr['aaddrnot_out'] 'on') {
$pfbarr['adv'] = FALSE;
$pfbarr['folder'] = "{$pfb['nativedir']}";
}
...]]
This causes the 'cleanup' code to think it has to remove the list as it logs '[ Removing List(s) : pfB_Europe_v4 ]' on both hosts. But it's still needed by GEO IP rule with the inverted source!
It also removes the alias file /var/db/aliastables/pfB_Europe_v4.txt as the list 'pfB_Europe_v4' is already removed, that's done by this part of the code:
...
}
else {
// unlink Continent list
unlink_if_exists("{$pfb['aliasdir']}/{$ccfile}.txt");
...
This results in these kind of errors on the backup node (not on the master host):
There were error(s) loading the rules: /tmp/rules.debug:208: macro 'pfB_Europe_v4' not defined
I think should not remove the list (pfB_Europe_v4) in the first place. So I created a patch (see attachment) for it which resolves my issue. It has been applied to both my hosts.
Disclaimer: I'm not using any other GEO IP rules. So I was not able to fully test the changes to see if it might affect other things.
Files
Updated by 
Updated by