Skip to content

Commit

Permalink
Firewall / Rules - drop policy based routing validation on interface …
Browse files Browse the repository at this point in the history 
…rules as discussed in #5329 (comment)
  • Loading branch information
@AdSchellevis
AdSchellevis committed Nov 15, 2021
1 parent c28567e commit b567ddb
Showing 1 changed file with 0 additions and 7 deletions.
7 changes: 0 additions & 7 deletions src/www/firewall_rules_edit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,13 +335,6 @@ function is_posnumericint($arg) {

if (!empty($pconfig['floating']) && !empty($pconfig['gateway']) && (empty($pconfig['direction']) || $pconfig['direction'] == "any")) {
$input_errors[] = gettext("You can not use gateways in Floating rules without choosing a direction.");
} elseif (empty($pconfig['floating']) && $pconfig['direction'] != "in" && !empty($pconfig['gateway'])) {
// XXX: Technically this is not completely true, but since you can only send to other destinations reachable
// from the selected interface in this case, it will likely be confusing for our users.
// Policy based routing rules on inbound traffic can use the correct outbound interface, which is the
// scenario that is most commonly used .
// For compatibilty reasons, we only apply this on non-floating rules.
$input_errors[] = gettext("Policy based routing (gateway setting) is only supported on inbound rules.");
}

if (!in_array($pconfig['protocol'], array("tcp","tcp/udp"))) {
Expand Down

5 comments on commit b567ddb

@mimugmail
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this commit now also allows failover for outgoing squid connections?

@fichtner
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should work on 22.1 betas if it was fixed correctly there (there was a change for it but I’m not convinced yet).

@AdSchellevis
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mimugmail I guess that depends, you should be able to direct packets on their way out, but this was already possible with floating rules. The difference is that we had a validation on "interface" rules to prevent outgoing gateways being selected unintended. As far as I know the issue is mainly in the "matching" part, when a service binds to a specific (loopback) interface, you should be able to force its destination (already, as this is the same pattern local services use to stick to an interface and ignore destination routing). Sometimes this is a bit mind boggling I guess.

@fichtner
Copy link
Member

@fichtner fichtner commented on b567ddb Nov 21, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AdSchellevis I think the question was about opnsense/src@e650ef36ba9ef originating from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257106

@AdSchellevis
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fichtner might be, but we're not shipping the cause of the bug report if I'm not mistaken freebsd/freebsd-src@41063b4, the route-to on outgoing traffic when bound to the interface should work (as does does the ticket about Wireguard+Unbound seem to suggest), I'm just not sure you can always easily bind traffic to the interface on every service (like squid). Long story short, the latests FreeBSD version might have changed behaviour, but to me it's unclear if it's different than what it was in FreeBSD 12.1 and earlier.

Please sign in to comment.