pfsense / pfctl bug? clicking X does not kill states.

bb-mitch

Re: Pfctl -k id not working?

Working with opnsense... Google lead me to this post. Thank you @luckman212 for posting your success. I really appreciate it when people do that and I try to do it myself.

My topic on opnsense is here: https://forum.opnsense.org/index.php?topic=20901.0

I have the same issue - on opnsense. I suspect the same issue exists on both systems.

I've been wondering though about labeling rules or other more organized ways of flushing certain states.

bb-mitch

Thanks @chemlud - in our case we can't rely on killing all states. Consider today... certain traffic from certain clients needs to be flushed to enable reconnection (switching to an alternate proxy on our side). Relying on killall for this means we'd have to work outside their hours / be unable to manage this. so pretty critical for us to fix. that said, I think the pfctl WORKS - the call from opnsense / pfsense to pfctl seems to be the issue.

Will continue to update my notes on both forums if I can, but I this man is relevant.
https://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8

 To	kill a state with ID 4823e84500000018 created from a backup
	     firewall with hostid 00000002 use:

		   # pfctl -k id -k 4823e84500000018/2

In the case of opnsense the creator id always seems to be set, and changes as states are updated / replaced.

One other interesting option would be if we were able to kill states by label. To do that, we need to "label" the rule. Is that possible? then we could kill states in the form:

 It	is also	possible to kill states	by rule	label or state ID.  In
	     this mode the first -k argument is	used to	specify	the type of
	     the second	argument.  The following command would kill all	states
	     that have been created from rules carrying	the label "foobar":

		   # pfctl -k label -k foobar

Any ideas / knowledge appreciated. Even if the bug can't be fixed, that would help us (and others) work around the issue. Thanks everyone!

Mitch

kiokoman

@bb-mitch

pppoe0 tcp 217.xxx.xxx.xxx:18728 (192.168.10.22:52626) -> 81.171.2.181:443       ESTABLISHED:ESTABLISHED
   [3007704979 + 30336] wscale 8  [362943345 + 131328] wscale 7
   age 00:00:19, expires in 119:59:41, 4:4 pkts, 742:328 bytes, rule 115
   id: 000000006217f3bf creatorid: 3d277c5d
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: pfctl -k id -k 000000006217f3bf
killed 1 states
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: pfctl -s state -vv | grep 000000006217f3bf
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root:

?

bb-mitch

@kiokoman hey - it DOES seems like it works sometimes.
Just like clicking the X works sometimes. Not sure why as no error is shown.
I've done the same thing and seen "killed 0 states" then added the creator, and seen "killed 1 states"
Maybe there is another cause?

kiokoman

@bb-mitch
idk, I'm not using it every day but those few times that I used it I never really noticed the problem