Firewall rules added from GUI want to add 802.1p, which causes errors
-
Version:
2.1-BETA1 (i386)
built on Wed Apr 10 06:38:57 EDT 2013
FreeBSD 8.3-RELEASE-p7To reproduce:
1. Add firewall rule. I can't find any options that don't have this behavior, so any combination of them should work. Don't select any advanced options
2. Save rule
3. Edit that rule. There are 802.1p options with "none." Once you apply, you get a notice like:04-10-13 12:39:45 [ There were error(s) loading the rules: /tmp/rules.debug:166: invalid ieee8021q_pcp value none - The line in question reads [166]: block in quick on $GUESTNETWORK inet from x.x.x.x/x to y.y.y.y/y ieee8021q-pcp none ieee8021q-setpcp none label USER_RULE]I can temporarily add rules via easyrule, but I'm not so sure these are even working as intended, as some inter-VLAN traffic that should be blocked (and was with 2.0.2) is passing with no problem. If there is already a fix for this, I'd appreciate a link. Thanks in advance!
Edit: the offending rules.debug line is:
block in quick on $GUESTNETWORK inet proto tcp from x.x.x.x/x to y.y.y.y/y ieee8021q-pcp none ieee8021q-setpcp none label "USER_RULE"Edit2: I've made a temporary workaround by modifying firewall_rules_edit.php:
621 if ($_POST['vlanprio'] != "" && $_POST['vlanprio'] != "none") { 622 $filterent['vlanprio'] = $_POST['vlanprio']; 623 } 624 if ($_POST['vlanprioset'] != "" && $_POST['vlanprioset'] != "none") { 625 $filterent['vlanprioset'] = $_POST['vlanprioset']; 626 }I don't have a copy of 2.0.2 handy, but I'm assuming it's got to do with an array value (none) that was blank, but is now populated.
Edit3: lots of edits! Pretty sure the following is what was intended (again, firewall_rules_edit.php):
1316 foreach($vlanprio as $vprio) { 1317 if ($vprio == $pconfig['vlanprio']) 1318 $selected = " selected=\"selected\""; 1319 else 1320 $selected = ""; 1321 if ($vprio == "none") 1322 $opts .= "<option value="\"\"">{$vprio}</option>\n"; 1323 else 1324 $opts .= "<option value="\"{$vprio}\"" {$selected}="">" . strtoupper($vprio) . "</option>\n"; 1325 }Original was:
1316 foreach($vlanprio as $vprio) { 1317 if ($vprio == $pconfig['vlanprio']) 1318 $selected = " selected=\"selected\""; 1319 else 1320 $selected = ""; 1321 if ($vprio == "none") 1322 $opts .= "<option value="\"{$vprio}\"">{$vprio}</option>\n"; 1323 else 1324 $opts .= "<option value="\"{$vprio}\"" {$selected}="">" . strtoupper($vprio) . "</option>\n"; 1325 }So, it appears problem solved with that edit.
-
Thanks for the catch. Found this on a fresh install using pfSense-memstick-2.1-BETA1-i386-20130410-0638.img.gz
Did the edit to line 1322 and it appears to be fixed.
Looks like a problem with this snapshot. I'm sure it's because I decided to grab the latest to load on a production box… -
Has this been fixed ? Updated to latest snapshot in 2.1 and now I get same issue
11:54:18 [ There were error(s) loading the rules: /tmp/rules.debug:466: invalid ieee8021q_pcp value none - The line in question reads [466]: pass in quick on $WAN reply-to ( bge1 208.73.1.1 ) inet proto tcp from any to $dss port 443 ieee8021q-pcp none ieee8021q-setpcp none flags S/SA keep state label USER_RULE: LB access]
Cant add in any rules
-
Could you copy and paste your /usr/local/www/firewall_rules_edit.php file at line 1322? My revision got merged, but I'm not sure if it made it into the latest snapshot.
If it doesn't look like this:
$opts .= "<option value="\"\"">{$vprio}</option>\n";you should be able to edit it to that until it's in the next latest.
-
This is what I see in that line
$opts .= "<option value="""">{$vprio}</option>\n";
-
I am not sure if it looks the same or not but I still get that error when creating new rules.
What else would you like to see ?
-
Are you sure that it's from new rules you're adding? I cannot reproduce this behavior with the edited code, but if rules created while this bug was in are still in use and haven't yet been re-saved, that may be where it's coming from. I'd recommend moving through your rules and making sure that the 802.1p section is not expanded anywhere you don't expect it to be.
A quick way to test if it's affecting new rules is to just create one and save it, then edit it immediately after. If the 802.1p section is expanded, weird stuff is afoot. If it's not, old rules are the culprit.
-
Well,
Every time I add a rule I see this notification. Quiet frankly it looks like there are other things jammed up now. Which may go back to the rules being jammed while the bug is in. Some natting seems to not work correctly fo sure.
When was this issue introduced and can I update to a prior version ? -
I'd recommend moving through your rules and making sure that the 802.1p section is not expanded anywhere you don't expect it to be.
A quick way to test if it's affecting new rules is to just create one and save it, then edit it immediately after. If the 802.1p section is expanded, weird stuff is afoot. If it's not, old rules are the culprit.
Where is this section ? in the /usr/local/www/firewall_rules_edit.php Can you paste what it should look like ?
-
The relevant line you pasted is correct. Create a rule and save it. Now immediately edit that rule. If it looks like the one on the right, something weird is going on. If it looks like the one on the left, the notifications are from old rules reloading. You SHOULD be able to go into each of those rules and save them to get rid of the "none" value.
-
This should be fixed all-around in current snapshots. It will ignore the none if it's there and edit/save will remove it.
