Sticky-address cannot be redefined
-
I have come across an error that I can only get to appear with sticky connections enabled and the "ok_Custom IP Whitelist v4" firewall rule directly below either of the ICMP echoreq rules above it.
There were error(s) loading the rules: /tmp/rules.debug:1292: sticky-address cannot be redefined - The line in question reads [1292]: pass in quick on $2_VLAN16_IRIS $GW0_WAN_ClientTor_DIPs inet from $TorVPN_Client_DIP_Gateway_Exit to $pfB_Custom_IP_Whitelist_v4 tracker 1611266190 keep state dnqueue( 1,2) label "USER_RULE: ok_Custom IP Whitelist v4"
It is similar to this issue, except I do not have an ICMP message type selected for the specific rule.
And it is also similar to this issue, where the issue goes away if it is not directly below an ICMP echoreq rule.
Here is the rule, along with the two echoreq rules above it:
<rule> <id></id> <tracker>1605834260</tracker> <type>reject</type> <interface>opt11</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <protocol>icmp</protocol> <icmptype>echoreq</icmptype> <source> <address>All_Eyes</address> </source> <destination> <network>opt11</network> </destination> <descr><![CDATA[Reject Cameras Pinging Devices On Local Network]]></descr> <created> <time>1605834260</time> <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username> </created> <updated> <time>1605932991</time> <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username> </updated> </rule> <rule> <id></id> <tracker>1605831833</tracker> <type>pass</type> <interface>opt11</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <protocol>icmp</protocol> <icmptype>echoreq</icmptype> <source> <address>All_Eyes</address> <not></not> </source> <destination> <network>opt11</network> </destination> <descr><![CDATA[Allow NonCameras To Ping Devices On Local Network]]></descr> <created> <time>1605831833</time> <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username> </created> <updated> <time>1611270521</time> <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username> </updated> </rule> <rule> <id></id> <tracker>1611266190</tracker> <type>pass</type> <interface>opt11</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype><![CDATA[keep state]]></statetype> <os></os> <protocol>tcp/udp</protocol> <source> <address>TorVPN_Client_DIP_Gateway_Exit</address> </source> <destination> <address>pfB_Custom_IP_Whitelist_v4</address> </destination> <descr><![CDATA[ok_Custom IP Whitelist v4]]></descr> <gateway>0_WAN_ClientTor_DIPs</gateway> <dnpipe>UploadQueue</dnpipe> <pdnpipe>DownloadQueue</pdnpipe> <created> <time>1611266190</time> <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username> </created> <updated> <time>1611271877</time> <username><![CDATA[admin@172.31.10.131 (Local Database)]]></username> </updated> </rule>
There appears to be a bug open for this #10726. But it sounds like it is saying the bug only applies when the rule itself has an ICMP-type set.
Before I submit a new bug, I wanted to see if this is the same bug that needs to have what I am seeing added to it? Or if this is something different I should submit a new bug for?
Doing any of these seems to stop the error from showing on the Filter Reload page:
-
Moving the "ok_Custom IP Whitelist v4" rule above the ICMP echoreq rules.
-
Moving the "ok_Custom IP Whitelist v4" rule two below the last ICMP echoreq rule.
-
Disabling System > Advanced > Miscellaneous > Load Balancing (unchecked)
-
Changing the "Allow NonCameras To Ping Devices On Local Network" rule to have an ICMP echo type of any
-
Inserting a rule between the "Allow NonCameras To Ping Devices On Local Network" rule and the "ok_Custom IP Whitelist v4" rule.
-