Project

General

Profile

Actions

Bug #8390

closed

Input validation does not prevent removing a gateway used by a DNS server

Added by rub man about 6 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
Start date:
03/26/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Affected Version:
2.4.3
Affected Architecture:

Description

Hi,

I often see following log entries that I didn't see before removing HE.net tunnel in latest RC build.
78.46.223.24 is nordvpn dns server i entered in system -> general setup
The errors were similar to 78.46.223.24 but with quad9 ipv6 dns servers earlier but then I removed ipv6 dns servers from system -> general setup and then I started seeing following errors.

Mar 25 22:47:34 php-fpm 326 /system.php: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
... editing dns under System -> General Setup
Mar 25 22:46:28 php-fpm 52075 /services_unbound.php: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
... changed unbound settings
Mar 25 22:40:42 php-fpm 326 /rc.newwanip: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
... openvpn interface up
Mar 25 22:40:34 php-fpm 325 /rc.newwanip: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
Mar 25 22:40:34 php-fpm 325 /rc.newwanip: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
Mar 25 22:40:34 php-fpm 325 /rc.newwanip: The command '/sbin/route delete -host 78.46.223.24' returned exit code '1', the output was 'route: route has not been found delete host 78.46.223.24 fib 0: not in table'
... wan interface up
Mar 25 22:40:33 php-cgi rc.bootup: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
Mar 25 22:40:33 php-cgi rc.bootup: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
Mar 25 22:40:33 php-cgi rc.bootup: The command '/sbin/route delete -host 78.46.223.24' returned exit code '1', the output was 'route: route has not been found delete host 78.46.223.24 fib 0: not in table'

Actions #1

Updated by rub man about 6 years ago

I partially fixed the issue by adding dns 2620:fe::fe and then deleting it.

Now I only see one error message at bootup (and no error at openvpn up/changing unbound settings/changing dns)::

Mar 25 23:24:40 php-fpm 326 /rc.newwanip: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
Mar 25 23:24:40 php-fpm 326 /rc.newwanip: The command '/sbin/route delete -host 78.46.223.24' returned exit code '1', the output was 'route: route has not been found delete host 78.46.223.24 fib 0: not in table'
... wan up
Mar 25 23:24:39 php-cgi rc.bootup: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]'
Mar 25 23:24:39 php-cgi rc.bootup: The command '/sbin/route delete -host 78.46.223.24' returned exit code '1', the output was 'route: route has not been found delete host 78.46.223.24 fib 0: not in table'

Actions #2

Updated by rub man almost 6 years ago

my config.xml file had <dns5gw>NORDVPN_DHCP</dns5gw>
despite having no DNS entries in System/Advanced

changed it to <dns5gw>none</dns5gw> and problem solved!

I would like to thank the source code for helping me narrow down the problem.

Actions #3

Updated by Ivars Strazdins over 3 years ago

This issue was driving me nuts!
Thanks to your hint, I was able to find similar "ghost" DNS servers in configuration export and removed them.

Actions #4

Updated by Viktor Gurov over 3 years ago

  • Status changed from New to Feedback

Ivars Strazdins wrote:

This issue was driving me nuts!
Thanks to your hint, I was able to find similar "ghost" DNS servers in configuration export and removed them.

What is your pfSense version?

Unable to reproduce it on 2.5.0.a.20201009.1850
seems to be fixed in #10001 and #10397

Actions #5

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Confirmed

Their problem is different from the ones linked.

When you remove a gateway, there can still be entries in the DNS server list using that gateway. Input validation should probably prevent removing a gateway if it's still in use by DNS servers.

You can edit the DNS server and change it to a valid gateway, or remove the affected DNS server.

Actions #6

Updated by Viktor Gurov over 2 years ago

Jim Pingle wrote in #note-5:

Their problem is different from the ones linked.

When you remove a gateway, there can still be entries in the DNS server list using that gateway. Input validation should probably prevent removing a gateway if it's still in use by DNS servers.

input validation:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/341

Actions #7

Updated by Jim Pingle over 2 years ago

  • Status changed from Confirmed to Pull Request Review
  • Target version set to CE-Next
  • Plus Target Version set to Plus-Next
Actions #8

Updated by Viktor Gurov over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #9

Updated by Danilo Zrenjanin over 2 years ago

  • Status changed from Feedback to Resolved

I tested against today's development release.

I got an error message and couldn't remove a gateway that was defined to be used by the DNS server.

It looks OK. Ticket resolved.

Actions #10

Updated by Jim Pingle over 2 years ago

  • Subject changed from Strange Error after deleting GIF HE.net IPv6 tunnel latest RC to Input validation does not prevent removing a gateway used by a DNS server
  • Target version changed from CE-Next to 2.6.0
  • Plus Target Version changed from Plus-Next to 22.01

Updating subject for release notes and fixing targets.

Actions

Also available in: Atom PDF