Interface-specific state clearing with "pfctl -i <if>-Fs"</if>
-
A few days ago, Ermal just pushed some changes into 2.1-BETA1 snapshot,
https://github.com/bsdperimeter/pfsense/commit/8f563bb423ab8a1c06a191b5fc772a260b042360
in an attempt to solve the long-standing issue with stale states upon WAN IP change (http://redmine.pfsense.org/issues/1629)However this interface-specific state clearing doesn't seem to work for me, when invoked at the command-line (I always get a "0 states cleared" output)
-
I also noticed that and played around a little, after that I updated the ticket. I don't think this can work without using if-bound states. There are no states bound to interfaces, -i will not work. If you do a
pfctl -ssevery line starts with "all". For -i to work they have to start with something like "re0" or "tun0" etc.
I verified that with an OpenBSD host usingset state-policy if-boundThere I was able to do this:
pfctl -i tun0 -ss tun0 udp 192.168.xxx.1:161 <- 192.168.xxx.101:47975 MULTIPLE:MULTIPLE tun0 udp 192.168.xxx.1:161 <- 192.168.xxx.101:60632 SINGLE:MULTIPLE tun0 udp 192.168.xxx.1:161 <- 192.168.xxx.101:48521 SINGLE:MULTIPLE tun0 udp 192.168.xxx.1:161 <- 192.168.xxx.101:53658 MULTIPLE:MULTIPLE pfctl -i tun0 -Fs 4 states cleared -
I forgot to add, that I tried to find a way to get pfctl to clear the states needed but failed.
I don't know if it would update established states or even work in pfSense, but it might be worth looking at this possiblity for
"src_addr, dst_addr"
as it can be
"The name of a network interface or group in parentheses ( ). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes."
(Source: http://www.openbsd.org/faq/pf/filter.html) -
Nah its not related to that but an internal patch used.
I fixed teh issue next snapshot should behave correctly. -
In the latest snap, pfctl -i <if>-Fs does indeed kill states, but only half of them.
It kills those on the WAN if, whereas the related states on LAN if remain.There is some related feedback at http://redmine.pfsense.org/issues/1629</if>
-
I noticed also (running 2.1-BETA1 snap from Thu Feb 21 06:47:29 EST 2013) the following
If I e.g. start a ping -t google.com from a computer on the LAN in a multi-WAN failover setup, and force the WAN1 link to fail (e.g. by unplugging the cable) the states linked to WAN1 will not be flushed, and subsequent pings TO that host FROM the same host will start to fail even though general connectivity is UP (e.g. browsing works, or even pings to other hosts).
-
When I check the state table I see that there is still a state in place forcing ICMP to/from that specific LAN/WAN host pair. Flushing the state table immediately gets the ping working again.
-
one more observation: this only affects WAN links that are set to "DHCP" mode – if I change them to static IP, the state flushing does seem to work properly
I am curious, if I wanted to experiment with my own script using pfctl to flush states bound to a specific interface, what would the relevant commands be? I google'd quite a bit and it appears I need some variation of
pfctl -K […]
pfctl -k […]
pfctl -b […]But I can't figure out what options work, and much of the docs seem to be out of date(?)
-
-
I think the only option is reading the source since pfSense uses a patched version on pfctl/pf for this:
https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8_3/killifstates.RELENG_8.diff
To change the behaviour you would need to adjust the patch, I guess.
