"Block private networks" seems to create a defective firewall rule (cosmetic problem only)

[meyergru]

The interface setting "block private networks" creates an automatic rule that shows the following networks in it: 10.0.0.0/8, 27.0.0.0/8, 00.64.0.0/10, 72.16.0.0/12, 92.168.0.0/16.

Expected behavior

The networks seem to be shortened, they should be 10.0.0.0/8, 127.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16

Additional context

It seems like 23.7.8 did not expose this behaviour. See https://forum.opnsense.org/index.php?topic=37389.0.

I do not know if opnsense/core contains the root cause, because it did not find this in the source.

Environment

OPNsense 23.7.9 (amd64).

[fichtner]

How was this diagnosed... by trusting pfctl output or by testing the actual rule?

[meyergru]

By looking at the automatic rule in the GUI. Try it for WAN, for example and look at the firewall rules.

[fichtner]

Screenshot for context please.

[meyergru]

(I could not believe it, either)

[fichtner]

Could be cosmetical from the last commit that I did. This isn’t even diagnostics data.

[meyergru]

Yes, sure looks so:

block drop in quick on igc3 inet from 10.0.0.0/8 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc3 inet from 127.0.0.0/8 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc3 inet from 100.64.0.0/10 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc3 inet from 172.16.0.0/12 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc3 inet from 192.168.0.0/16 to any label "1072878c6245b52440bc89c6107a9d0a"

So it is probably bad formatting.

[fichtner]

Not something that is easy to spot... 52f3939

Thanks for the report!