Project

General

Profile

Actions
Copy link

Bug #8360

closed

pf rules occasionally contain "!/" where the WAN network/netmask should be

Added by Chris Linstruth over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Rules / NAT
Target version:
2.4.3
Start date:
03/06/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.2_1
Affected Architecture:
All

Description

Very similar to #2883

I have been unable to duplicate this but have seen enough tickets/forum posts to warrant a look.

One was an internal ticket that resulted in these notifications when suricata was reloading its rules.

The latest is this: https://forum.pfsense.org/index.php?topic=144835.0

It appears that the rule set is generated/reloaded at a time when the WAN interface does not have an address/netmask and the rule is improperly generated.

Apologies for not having steps to duplicate but they have proved to be elusive.

Files

Download all files
8360.diff (1.35 KB) 8360.diff Jim Pingle, 03/07/2018 12:06 PM
compusense-rules.debug (12.9 KB) compusense-rules.debug rules.debug from the affected firewall Adam Thompson, 05/16/2018 11:13 AM
Actions
Copy link
 #1

Updated by Jim Pingle over 6 years ago

  • File 8360.diff 8360.diff added
  • Subject changed from pf rules occasionally contain "!/" where the WAN newrork/netmask should be to pf rules occasionally contain "!/" where the WAN network/netmask should be
  • Status changed from New to Assigned
  • Assignee set to Jim Pingle
  • Affected Version set to 2.4.2_1
  • Affected Architecture All added
  • Affected Architecture deleted ()

Attached patch should fix it, waiting for confirmation before committing.

Actions
Copy link
 #2

Updated by Jim Pingle over 6 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #3

Updated by Paighton Bisconer over 6 years ago

Unable to duplicate after testing most of the day, multiple versions, multiple rule changes and configurations, multiple WAN states. Tested on 2.4.2-REL and 2.4.2_p1-REL, and latest 2.4.3.a.20180309.0738.

Actions
Copy link
 #4

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #5

Updated by Adam Thompson over 6 years ago

Just got bitten by this, too, during a 2.4.0 -> 2.4.3_p1 upgrade. Problem did not exist prior to upgrade. In my case, it DOES affect traffic through the firewall.
In my case, the patch provided at https://redmine.pfsense.org/attachments/download/2355/8360.diff does not appear to solve the problem.

I have the complete backup file from the firewall post-2.4.3_p1 upgrade, and it's using the pfSense OVA (original version unknown), updated to 2.4.3_p1 so you should be able to replicate the problem in an VM, at least?

I don't want to post a customer's XML backup publicly, though...

I will attach /tmp/rules.debug momentarily. The syntax error is at line 162.

Actions
Copy link
 #7

Updated by Jim Pingle over 6 years ago

This bug is not that same issue. See #8518 and keep comments there.

Actions
Copy link
 #8

Updated by Adam Thompson over 6 years ago

Ah! I had not found that bug. Thank you.

Actions
Copy link

Also available in: Atom PDF