core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

Normalization broken (ignoring the port)

Open dMopp opened this issue 1 year ago • 2 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Lets asume, i create the following rule: Interface: WAN,SERVERS Direction: Any Protocol: UDP Source: Any Destination: Any Destination-Port: 53

the port gets ignored.

Output from pfctl -s rules | grep set-tos:

scrub in on vlan0.10 proto udp from <LOCALNETS> to any port = domain set-tos 0xa0 fragment reassemble
scrub in on pppoe0 proto udp from <LOCALNETS> to any port = domain set-tos 0xa0 fragment reassemble

A clear and concise description of what the bug is, including last known working version (if any).

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce

Create a normalization rule including a PORT and you will see its getting ignored

Expected behavior

The port should NOT be ignored, so i can create proper tos

Describe alternatives you considered

tried different combinations (in,out,udp,tcp,whatver) but the port is NEVER be used.

Screenshots

grafik

Relevant log files

Additional context

I found out, that under /tmp/rules.debug i see the following rule: scrub in on { vlan0.10 pppoe0 } proto udp from $LOCALNETS to any port 53 set-tos cs5

but pfctl -s rules | grep set-tos shows:

scrub in on vlan0.10 proto udp from <LOCALNETS> to any port = domain set-tos 0xa0 fragment reassemble
scrub in on pppoe0 proto udp from <LOCALNETS> to any port = domain set-tos 0xa0 fragment reassemble

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.1.3_1-amd64 FreeBSD 13.2-RELEASE-p10 OpenSSL 3.0.13

dMopp avatar Mar 20 '24 22:03 dMopp

port = domain ? looks normal to me

AdSchellevis avatar Mar 21 '24 14:03 AdSchellevis

Wait, before i posted this, there was port any and now there is port = domain O_O. Maybe there was a bug before and after recreating the rule its fixed, i wil doublecheck, sorry so far !

dMopp avatar Mar 21 '24 14:03 dMopp

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Sep 16 '24 21:09 OPNsense-bot