Project

General

Profile

Bug #8360

pf rules occasionally contain "!/" where the WAN network/netmask should be

Added by Chris Linstruth over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules/NAT
Target version:
Start date:
03/06/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.2_1
Affected Architecture:
All

Description

Very similar to #2883

I have been unable to duplicate this but have seen enough tickets/forum posts to warrant a look.

One was an internal ticket that resulted in these notifications when suricata was reloading its rules.

The latest is this: https://forum.pfsense.org/index.php?topic=144835.0

It appears that the rule set is generated/reloaded at a time when the WAN interface does not have an address/netmask and the rule is improperly generated.

Apologies for not having steps to duplicate but they have proved to be elusive.

8360.diff (1.35 KB) 8360.diff Jim Pingle, 03/07/2018 12:06 PM
compusense-rules.debug (12.9 KB) compusense-rules.debug rules.debug from the affected firewall Adam Thompson, 05/16/2018 11:13 AM

Associated revisions

Revision 2e08a646 (diff)
Added by Jim Pingle over 1 year ago

Add sanity check to rule passing out from host to ensure it does not have a blank destination subnet. Fixes #8360

History

#1 Updated by Jim Pingle over 1 year ago

  • File 8360.diff 8360.diff added
  • Subject changed from pf rules occasionally contain "!/" where the WAN newrork/netmask should be to pf rules occasionally contain "!/" where the WAN network/netmask should be
  • Status changed from New to Assigned
  • Assignee set to Jim Pingle
  • Affected Version set to 2.4.2_1
  • Affected Architecture set to All

Attached patch should fix it, waiting for confirmation before committing.

#2 Updated by Jim Pingle over 1 year ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#3 Updated by Paighton Bisconer over 1 year ago

Unable to duplicate after testing most of the day, multiple versions, multiple rule changes and configurations, multiple WAN states. Tested on 2.4.2-REL and 2.4.2_p1-REL, and latest 2.4.3.a.20180309.0738.

#4 Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

#5 Updated by Adam Thompson about 1 year ago

Just got bitten by this, too, during a 2.4.0 -> 2.4.3_p1 upgrade. Problem did not exist prior to upgrade. In my case, it DOES affect traffic through the firewall.
In my case, the patch provided at https://redmine.pfsense.org/attachments/download/2355/8360.diff does not appear to solve the problem.

I have the complete backup file from the firewall post-2.4.3_p1 upgrade, and it's using the pfSense OVA (original version unknown), updated to 2.4.3_p1 so you should be able to replicate the problem in an VM, at least?

I don't want to post a customer's XML backup publicly, though...

I will attach /tmp/rules.debug momentarily. The syntax error is at line 162.

#7 Updated by Jim Pingle about 1 year ago

This bug is not that same issue. See #8518 and keep comments there.

#8 Updated by Adam Thompson about 1 year ago

Ah! I had not found that bug. Thank you.

Also available in: Atom PDF