OPNsense 23.7.8_1 Aliases for type Port(s) not working

[roykrikke]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

I think there is a seriously issue with OPNsense 23.7.8_1-amd64 and Alias and Port(s). If I would like to add a Alias Port(s) in Firewall: Aliases. The web interface is working. The alias with the name is nicely added. But in Firewall: Diagnostics: Aliases it is not shown. Also the firewall rule where I would like to use the alias is also not working.

By checking:
pfctl -t $ALIAS -T show
returns an error
pfctl: Unknown error: -1.

If a use the same cmd with a existing Network(s) alias. It works and shows the IPs.

Am I doing something wrong? Or have I indeed found a bug in this version?

To Reproduce

Steps to reproduce the behavior:

1. Add alias of type Port(s) in Firewall ‣ Aliases.
2. Save the new Alias
3. Check in Firewall: Diagnostics: Aliases if the Alias is listed.
4. Alias is not visible

Extra view to check the alias:

1. Open shell
2. use: pfctl -t $ALIAS -T show >> $ALIAS is the name of the alias added via the web interface
3. I received a return error of -1

Expected behavior

I need all the alias types to work, either standalone or nested.

Describe alternatives you considered

There is no alternative available if you would like to use aliases for Port(s).

Screenshots

n.a.

Relevant log files

n.a.

Additional context

n.a.

Environment

Software version used:
OPNsense 23.7.8_1-amd6

[AdSchellevis]

that's to be expected, port aliases are macros (man pf.conf), grep portaliasname /tmp/rules.debug should show more

[roykrikke]

I can check the cmd @AdSchellevis shared. But way is the Port(s) alias not picked by the firewall rules? I checked with an extreme simple example.

[roykrikke]

I checked /tmp/rules.debug on a fresh install with some extreme simpel tests.

I added the aliases below:

Then checking the /tmp/rules.debug file:

root@OPNsense:~ # cat /tmp/rules.debug
set limit table-entries 1000000
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 200000
set limit src-nodes 200000
set hostid 0x3c18befd

# User Aliases
table <TEST1>  persist
TEST1 = "<TEST1>"
TEST2 = "{ 443 }"
TEST3 = "{ 22 }"
TEST_NEST = "{ 443 22 }"
table <bogons>  persist
bogons = "<bogons>"
table <bogonsv6>  persist
bogonsv6 = "<bogonsv6>"
table <virusprot>  persist
virusprot = "<virusprot>"
table <sshlockout>  persist
sshlockout = "<sshlockout>"
table <__wan_network>  persist
__wan_network = "<__wan_network>"
table <__lan_network>  persist
__lan_network = "<__lan_network>"
table <__lo0_network>  persist
__lo0_network = "<__lo0_network>"
table <bogons> persist file "/usr/local/etc/bogons"
table <bogonsv6> persist file "/usr/local/etc/bogonsv6"

# Plugins tables

set loginterface em1

set skip on pfsync0

scrub on em1 all
scrub on em0 all


# NAT Redirects
no nat proto carp all
no rdr proto carp all
# [prio: 300]
no rdr on em1 proto tcp to {(em1)} port {22} # Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on em1 proto tcp to {(em1)} port {80} # Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on em1 proto tcp to {(em1)} port {443} # Anti lockout, prevent redirects for protected ports to this interface ip

antispoof log for em1
antispoof log for em0
# [prio: 1]
# pass in log quick on lo0 inet6 from {any} to {any} label "62bc9bf7ea7b56454e39925bfa2d5741" # Pass all loopback IPv6
# block in log quick inet6 from {any} to {any} label "0ec8294e29827da393c3bfad611eecbb" # Block all IPv6
block in log inet from {any} to {any} label "02f4bab031b57d1e30553ce08e0ec131" # Default deny / state violation rule
block in log inet6 from {any} to {any} label "02f4bab031b57d1e30553ce08e0ec131" # Default deny / state violation rule
pass in log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "1d245529367b2e34eeaff16086aeafe9" # IPv6 RFC4890 requirements (ICMP)
pass out log quick inet6 proto ipv6-icmp from {(self)} to {fe80::/10,ff02::/16} icmp6-type {128,129,133,134,135,136} keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "42e9d787749713a849d8e92432efdfaa" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "8752fca75c6be992847ea984161bd3f1" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {::} to {ff02::/16} icmp6-type {128,133,134,135,136} keep state label "71dd196398b3f1da265dbd9dcad00e70" # IPv6 RFC4890 requirements (ICMP)
block in log quick inet proto {tcp udp} from {any} port {0} to {any} label "7b5bdc64d7ae74be1932f6764a591da5" # block all targeting port 0
block in log quick inet6 proto {tcp udp} from {any} port {0} to {any} label "7b5bdc64d7ae74be1932f6764a591da5" # block all targeting port 0
block in log quick inet proto {tcp udp} from {any} to {any} port {0} label "ae69f581dc429e3484a65f8ecd63baa5" # block all targeting port 0
block in log quick inet6 proto {tcp udp} from {any} to {any} port {0} label "ae69f581dc429e3484a65f8ecd63baa5" # block all targeting port 0
pass log quick proto carp from {any} to {ff02::12} label "3b14fa6f8072123bf7a59d2fd29cbec3" # CARP defaults
pass log quick proto carp from {any} to {224.0.0.18} label "8203357325e6f08a501a6dec36b19112" # CARP defaults
block in log quick proto tcp from {<sshlockout>} to {(self)} port {22} label "669143f420c3ab4118bcb0bf4b5fd823" # sshlockout
block in log quick proto tcp from {<sshlockout>} to {(self)} port {443} label "6baefc2a9cf2536834c092a51134a45c" # sshlockout
block in log quick from {<virusprot>} to {any} label "8e367e2f9944d93137ae56d788c5d5e1" # virusprot overload table
pass in log quick on em0 proto udp from {fe80::/10} port {546} to {fe80::/10} port {546} label "a6cd2cce1bc1d912f6258ef1f3fb07e1" # allow dhcpv6 client in WAN
pass in log quick on em0 proto udp from {any} port {547} to {any} port {546} label "f7e4334c3e7dc4ba900c5780b828d4a3" # allow dhcpv6 client in WAN
pass out log quick on em0 proto udp from {any} port {546} to {any} port {547} label "5ba1258fcaf073eff4060b40ff63044d" # allow dhcpv6 client in WAN
# [prio: 5]
# block in log quick on em1 inet from {<bogons>} to {any} label "bf8a7b329d048c5183805d4f016fede9" # Block bogon IPv4 networks from LAN
# block in log quick on em1 inet6 from {<bogonsv6>} to {any} label "14dde492ca55ec468310c537f693dc8f" # Block bogon IPv6 networks from LAN
# block in log quick on em1 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "59eaa3b97b11c51ddfce6afe4f71eeb8" # Block private networks from LAN
# block in log quick on em1 inet6 from {fc00::/7} to {any} label "b41015c9cba1b7ab9fa566f6ee78f58c" # Block private networks from LAN
# block in log quick on lo0 inet from {<bogons>} to {any} label "ea4c1d75c7d0d4ee589a59cc88870f11" # Block bogon IPv4 networks from Loopback
# block in log quick on lo0 inet6 from {<bogonsv6>} to {any} label "509540f44cde74df1d28e2bc76b0a691" # Block bogon IPv6 networks from Loopback
# block in log quick on lo0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "9d59048c2ca76128e62ef15066bef954" # Block private networks from Loopback
# block in log quick on lo0 inet6 from {fc00::/7} to {any} label "e0abd0daa005c9bd545c57004e7c1603" # Block private networks from Loopback
block in log quick on em0 inet from {<bogons>} to {any} label "b7cd97a164650b538506fb551a0369e7" # Block bogon IPv4 networks from WAN
block in log quick on em0 inet6 from {<bogonsv6>} to {any} label "f140a48ddade668b9d6f5259669a1d5c" # Block bogon IPv6 networks from WAN
block in log quick on em0 inet from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16} to {any} label "1eb94a38e58994641aff378c21d5984f" # Block private networks from WAN
block in log quick on em0 inet6 from {fc00::/7} to {any} label "45afd72424c84d011c07957569151480" # Block private networks from WAN
pass in quick on lo0 from {any} to {any} no state label "7535c94082e72e2207679aadb26afd92" # pass loopback
pass out log from {any} to {any} keep state allow-opts label "fae559338f65e11c53669fc3642c93c2" # let out anything from firewall host itself
pass in log quick on em1 proto tcp from {any} to {(self)} port {22 80 443} keep state label "bb72618316fdf630cdf15f33ae3d699f" # anti-lockout rule
# [prio: 400000]
block in quick on em0 inet proto {tcp udp} from {(em0:network)} to {(em1:network)} port $TEST_NEST label "0a0e878f6257c64e746594bfbd5ce4d3" # Default block TEST_NET in WAN to any rule
block in quick on em0 inet proto {tcp udp} from {(em0:network)} to $TEST1 label "2ce2cefba0076976998c756535b97179" # Default block TEST1 in WAN to any rule
pass in quick on em1 inet from {(em1:network)} to {any} label "13acbcf81b3471d2c7f9d57e844f8f47" # Default allow LAN to any rule
pass in quick on em1 inet6 from {(em1:network),fe80::/10} to {any} label "957c9ba30d824bcfb75ed013f9820cf1" # Default allow LAN IPv6 to any rule
root@OPNsense:~ #

This looks good. I still don't get why my rules are not working. I honestly think the aliases of type Port(s) are somehow ignored in rules since. MMmmmm I have some studying/debugging to do. Any hints which could help me?

[ronin3510]

Roy is not the only one affected, I'm seeing the issue on multiple firewalls where long standing aliases in all forms are simply "ignored" in rules. There's a screenshot in this thread that shows the alias with 3 IPs, the ICMP rule at the top allowing the ping towards two IP in the alias and the pings failing in two cmd windows as the first rule in the chain is ignored and failing on the second one.

https://forum.opnsense.org/index.php?topic=37035.0

As a workaround I had to clone the affected rules with aliases and make it into individual IPs since some of these aliases are used in policy routing.

Roy seems to be using only Ports, while here I also have floating rules with URL Table IPs aliases, Networks and Hostnames as well.

[AdSchellevis]

Usually these are configuration issues, best start with a simple ruleset and map assumptions to the ruleset. Your ticket doesn't explain which part doesn't work, but it's highly unlikely both aliases and macro's don't work.....

[ronin3510]

HI Ad,

In my case we're talking about long running configurations that are pretty much untouched other than regular patching.

The screenshot above shows the simplest alias not working on a physical FW. I've added the two ICMP rules yesterday to verify the issue in a different environment than mine - and you can see the result. :) Otherwise that location is fine and ping works in IPv4 and IPv6 without issue.

While I moved all FWs to snapshots/openssl branch as I was chatting with Franco online about how things work on 3.0.12, what was working fine in the alias world on 23.7.8/3.0.12 stopped on Monday morning going to 23.7.8_1/3.0.12

Please let me know if there's any other info I can provide to help finding what caused this.

[fichtner]

The only thing I could really think of is a bad base patch, downgrading to 23.7.7 may help in that case. I don’t see how ports OpenSSL version could affect basic operations in the kernel and the kernel didn’t change in that area.

# opnsense-revert -br 23.7.7

and reboot for full effect…

[ronin3510]

Yeah clearly not an ssl issue, what workked on 1.1.1 would have to work on 3.x, and ICMP would no teb affected.

Give me a few minutes to get out of snapshots and then on .7

[ronin3510]

I don't understand what's happening anymore...

Went back to base 23.7.7, then reverted opnsense too - with reboots in between, and no change.

Added an explicit rule for 9.9.9.9 - which is in the alias - and gets ignored in the alias but matches on the explicit.

So...if we exclude base as an issue, and I'm 99% confident this issue appeared in 23.7.8_1 - where there was no new base iirc - where is this coming from ?

[AdSchellevis]

@ronin3510 and just to be sure, you did check if the alias contains the configured data using diagnostics? the rules underneath are quite easy to inspect (/tmp/rules.debug), I don't think there have been changes in the latest core package on this topic.

[ronin3510]

This is how things look like in rules.debug

root@OPNsense:~ # grep DNS /tmp/rules.debug
table <DNS_Ping> persist
DNS_Ping = "<DNS_Ping>"
pass in quick on igb3 inet proto icmp from {any} to $DNS_Ping icmp-type {echoreq} keep state label "adb602fbedf58eaff1d08f4f32a3cdac"
pass in quick on igb3_vlan69 inet proto icmp from {any} to $DNS_Ping icmp-type {echoreq} keep state label "55024eef91b5b03b0110f41892d23cf8"
`

pass in quick on igb3_vlan69 inet proto icmp from {any} to $DNS_Ping icmp-type {echoreq} keep state label "55024eef91b5b03b0110f41892d23cf8"
pass in quick on igb3_vlan69 inet proto icmp from {any} to {9.9.9.9} icmp-type {echoreq} keep state label "6e064d6dafecd9f1c74275f5b0de80d4"
block in quick on igb3_vlan69 inet proto icmp from {any} to {any} label "5ebc8a4d90f1332596ffbf8215690402"
`

[ronin3510]

Diagnostics is empty actually - and was not loading at all while on 23.7.8_1 --- apologies, I thought it was clear as Roy mentioned it in the bug report

[AdSchellevis]

again, Roy's question (missing port alias) was a clear one... these aren't aliases...

So the question is, why are yours empty. does anything change when applying the aliases? any errors in the logs?

You can trigger this process manually from the console as well, using:

/usr/local/opnsense/scripts/filter/update_tables.py 

[ronin3510]

Ha, so things broke on the snapshot branch for me then on _1, the other issue was ddclient that had a similar message and had to go from native to ddclient backend - I think Franco opened a ticket for it.

Still...I'm not on OpenSSL 3.0.12 anymore, the machine is back on 1.1.1.w

root@OPNsense:~ # /usr/local/opnsense/scripts/filter/update_tables.py
Traceback (most recent call last):
File "/usr/local/opnsense/scripts/filter/update_tables.py", line 39, in
from lib.alias import AliasParser
File "/usr/local/opnsense/scripts/filter/lib/init.py", line 27, in
import dns.resolver
File "/usr/local/lib/python3.9/site-packages/dns/resolver.py", line 30, in
import dns._ddr
File "/usr/local/lib/python3.9/site-packages/dns/_ddr.py", line 12, in
import dns.nameserver
File "/usr/local/lib/python3.9/site-packages/dns/nameserver.py", line 5, in
import dns.asyncquery
File "/usr/local/lib/python3.9/site-packages/dns/asyncquery.py", line 32, in
import dns.quic
File "/usr/local/lib/python3.9/site-packages/dns/quic/init.py", line 4, in
import aioquic.quic.configuration # type: ignore
File "/usr/local/lib/python3.9/site-packages/aioquic/quic/configuration.py", line 6, in
from ..tls import (
File "/usr/local/lib/python3.9/site-packages/aioquic/tls.py", line 24, in
import service_identity
File "/usr/local/lib/python3.9/site-packages/service_identity/init.py", line 6, in
from . import cryptography, hazmat, pyopenssl
File "/usr/local/lib/python3.9/site-packages/service_identity/pyopenssl.py", line 32, in
from OpenSSL.crypto import X509
File "/usr/local/lib/python3.9/site-packages/OpenSSL/init.py", line 8, in
from OpenSSL import SSL, crypto
File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in
from OpenSSL._util import (
File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in
Binding.init_static_locks()
File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
cls._ensure_ffi_initialized()
File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
_legacy_provider_error(cls._legacy_provider_loaded)
File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

Unsure where this export is supposed to happen...clearly not a one liner

root@OPNsense:~ # export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
export: Command not found.`

[AdSchellevis]

reinstall? this is clearly not something broken in any production release.

[ronin3510]

Yeah...this turned out in a very unexpected way, and I managed to hijack Roy's thread in the process - apologies Roy.

For now Ad - I just moved everything back to 23.7.8_20/3.0.12. Clearly the move back and forth wasn't the cleanest and that's can happen with non-prod, no issues there. Other than ddclient and now the aliases things are running fine and I can wait a while for a fix to be available.

Since it's been a while from my last bootstrap, can you please let me know if it wipes the config or is it preserved ?
If I can do opnsense-bootstrap && reboot I can deal more easily with the plugin reinstallation and any other small tweaks may be required after the machine is back up.

[roykrikke]

small tweaks may be required after the machine is back up.

Don't worry, I'll test again this weekend with a clean install, simple config (configuration issues must be root cause as suggested by @AdSchellevis ) and the hints given. To be continued...

[roykrikke]

I made a clumsy mistake that I kept looking over (I even feel a bit stupid to be honest). Me apologies! This item can be closed.