Is it possible to do inverse matching of tags in floating rules?

lightwave

Hi everybody!

Is it possible to set up a floating rule that blocks all outbound traffic on an interface that has not been tagged with a certain tag (inverse matching)? Essentially, I'm trying to find a way to implement the following pf-rule:

block out quick on RED_NET ! tagged RED_NET_OK

So far, the only possible solution I've found i to add the rule to "/etc/inc/filter.inc", but I would rather not have parts of the ruleset outside of the user interface.

Thank you in advance!

jimp

There doesn't appear to be, but it may not be too difficult to add something that would at least let you enter, say, !RED_NET_OK in the Tagged field and then it sees that and splits out the ! into the right spot.

Open a feature request at https://redmine.pfsense.org in the Rules/NAT Category and we'll see what we can do.

lightwave

Thanks for the quick reply!

I have created Feature Request #10186. I'm afraid I missed to set the category and I do not seem to have the rights to change it after pressing create.

It looks as if the solution that you propose could be implemented with a small change to filter_generate_user_rule($rule) in filter.inc around the lines

if (!empty($rule['tagged'])) {
		$aline['tagged'] = " tagged \"" .$rule['tagged']. "\" ";
	}

A small change to the input validation in firewall_rules_edit.php would also be required to allow the value of the "tagged" field to start with an exclamation mark.

I will likely spend a few moments to write the code and patch my current installation of pfSense to enable this feature. Would it be of use to you if I clone the GIT repository and send in a patch file (of pull request) with my changes?