Bug #8360
closedpf rules occasionally contain "!/" where the WAN network/netmask should be
100%
Description
Very similar to #2883
I have been unable to duplicate this but have seen enough tickets/forum posts to warrant a look.
One was an internal ticket that resulted in these notifications when suricata was reloading its rules.
The latest is this: https://forum.pfsense.org/index.php?topic=144835.0
It appears that the rule set is generated/reloaded at a time when the WAN interface does not have an address/netmask and the rule is improperly generated.
Apologies for not having steps to duplicate but they have proved to be elusive.
Files
Updated by Jim Pingle almost 7 years ago
- File 8360.diff 8360.diff added
- Subject changed from pf rules occasionally contain "!/" where the WAN newrork/netmask should be to pf rules occasionally contain "!/" where the WAN network/netmask should be
- Status changed from New to Assigned
- Assignee set to Jim Pingle
- Affected Version set to 2.4.2_1
- Affected Architecture All added
- Affected Architecture deleted (
)
Attached patch should fix it, waiting for confirmation before committing.
Updated by Jim Pingle almost 7 years ago
- Status changed from Assigned to Feedback
- % Done changed from 0 to 100
Applied in changeset 2e08a64666620c8e0dd28eb7c14393bee7b2bfa8.
Updated by Paighton Bisconer almost 7 years ago
Unable to duplicate after testing most of the day, multiple versions, multiple rule changes and configurations, multiple WAN states. Tested on 2.4.2-REL and 2.4.2_p1-REL, and latest 2.4.3.a.20180309.0738.
Updated by Jim Pingle almost 7 years ago
- Status changed from Feedback to Resolved
Updated by Adam Thompson over 6 years ago
Just got bitten by this, too, during a 2.4.0 -> 2.4.3_p1 upgrade. Problem did not exist prior to upgrade. In my case, it DOES affect traffic through the firewall.
In my case, the patch provided at https://redmine.pfsense.org/attachments/download/2355/8360.diff does not appear to solve the problem.
I have the complete backup file from the firewall post-2.4.3_p1 upgrade, and it's using the pfSense OVA (original version unknown), updated to 2.4.3_p1 so you should be able to replicate the problem in an VM, at least?
I don't want to post a customer's XML backup publicly, though...
I will attach /tmp/rules.debug momentarily. The syntax error is at line 162.
Updated by Adam Thompson over 6 years ago
- File compusense-rules.debug compusense-rules.debug added
Updated by Jim Pingle over 6 years ago
This bug is not that same issue. See #8518 and keep comments there.
Updated by Adam Thompson over 6 years ago
Ah! I had not found that bug. Thank you.