Project

General

Profile

Actions

Bug #8360

closed

pf rules occasionally contain "!/" where the WAN network/netmask should be

Added by Chris Linstruth almost 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
03/06/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.2_1
Affected Architecture:
All

Description

Very similar to #2883

I have been unable to duplicate this but have seen enough tickets/forum posts to warrant a look.

One was an internal ticket that resulted in these notifications when suricata was reloading its rules.

The latest is this: https://forum.pfsense.org/index.php?topic=144835.0

It appears that the rule set is generated/reloaded at a time when the WAN interface does not have an address/netmask and the rule is improperly generated.

Apologies for not having steps to duplicate but they have proved to be elusive.


Files

8360.diff (1.35 KB) 8360.diff Jim Pingle, 03/07/2018 12:06 PM
compusense-rules.debug (12.9 KB) compusense-rules.debug rules.debug from the affected firewall Adam Thompson, 05/16/2018 11:13 AM
Actions #1

Updated by Jim Pingle almost 7 years ago

  • File 8360.diff 8360.diff added
  • Subject changed from pf rules occasionally contain "!/" where the WAN newrork/netmask should be to pf rules occasionally contain "!/" where the WAN network/netmask should be
  • Status changed from New to Assigned
  • Assignee set to Jim Pingle
  • Affected Version set to 2.4.2_1
  • Affected Architecture All added
  • Affected Architecture deleted ()

Attached patch should fix it, waiting for confirmation before committing.

Actions #2

Updated by Jim Pingle almost 7 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Paighton Bisconer almost 7 years ago

Unable to duplicate after testing most of the day, multiple versions, multiple rule changes and configurations, multiple WAN states. Tested on 2.4.2-REL and 2.4.2_p1-REL, and latest 2.4.3.a.20180309.0738.

Actions #4

Updated by Jim Pingle almost 7 years ago

  • Status changed from Feedback to Resolved
Actions #5

Updated by Adam Thompson over 6 years ago

Just got bitten by this, too, during a 2.4.0 -> 2.4.3_p1 upgrade. Problem did not exist prior to upgrade. In my case, it DOES affect traffic through the firewall.
In my case, the patch provided at https://redmine.pfsense.org/attachments/download/2355/8360.diff does not appear to solve the problem.

I have the complete backup file from the firewall post-2.4.3_p1 upgrade, and it's using the pfSense OVA (original version unknown), updated to 2.4.3_p1 so you should be able to replicate the problem in an VM, at least?

I don't want to post a customer's XML backup publicly, though...

I will attach /tmp/rules.debug momentarily. The syntax error is at line 162.

Actions #7

Updated by Jim Pingle over 6 years ago

This bug is not that same issue. See #8518 and keep comments there.

Actions #8

Updated by Adam Thompson over 6 years ago

Ah! I had not found that bug. Thank you.

Actions

Also available in: Atom PDF