Actions
Bug #8604
closed
Race condition in NAT reflection filter rules leads to ruleset load failure
Start date:
06/27/2018
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:
All
Description
On current 2.4.4 snapshots, at boot time the rules can be (re)loaded before all of the interface addresses are present. In most cases this is harmless, but with NAT reflection rules this can lead to a pf error due to the way they reference the interface as a 'from' address in a rule:
There were error(s) loading the rules: /tmp/rules.debug:90: could not parse host specification - The line in question reads [90]: no nat on vmx1 proto tcp from vmx1 to 10.6.0.10 port 22 @ 2018-06-27 08:48:43
The rules are reloaded again after the interfaces settle, and by the time the boot completes the rules load OK, but it still generates a notice and error in the logs so it's not nice for the end user to see each boot.
To me, I have a fix.
Updated by Jim Pingle over 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 6f8e648f5c88e04166539ab27872b13dfd587cb8.
Updated by Jim Pingle over 6 years ago
- Status changed from Feedback to Resolved
Only system we had exhibiting this condition is fixed after the commit above. Closing.
Actions