src icon indicating copy to clipboard operation
src copied to clipboard
verified publisher icon opnsense

NAT action is set as Pass instead of RDR

Open julsssark opened this issue 1 year ago • 4 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [ X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [ X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

NAT rules that are configured with logging enabled show up in the live log (and remote syslog) as Pass actions. The NAT itself is still working correctly (good news) but this bug breaks downstream monitoring/alerting for RDR actions. This behavior started with 24.7.6.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce

Steps to reproduce the behavior:

  1. Create new NAT rule and enable logging. See screenshot for the NAT rule I am using for this issue. The issue occurs with all 3 of my NAT rules.
  2. Set Live View to filter for NAT condition (note that filter for RDR will not work because nothing will be returned).
  3. Trigger NAT rule
  4. NAT action will be displayed as a Pass log with no description (see screenshot)

Expected behavior

Logs should show NAT action as RDR (blue in my case with an RDR symbol), and description should contain the description from the NAT rule.

Describe alternatives you considered

None. NAT is still working correctly, it is just recording incorrectly in the logs and remote logs.

Screenshots

  1. NAT rule
  2. Live view with what should be a RDR detail record displayed. Note that action is Pass and the description in the live view listing is blank. NAT rule Log Result

Relevant log files

If applicable, information from log files supporting your claim.

Additional context

Add any other context about the problem here.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.6-amd64 FreeBSD 14.1-RELEASE-p5 OpenSSL 3.0.15

julsssark avatar Oct 14 '24 14:10 julsssark

I am sorry I opened it to the wrong component. I am learning. Thanks for moving.

julsssark avatar Oct 14 '24 17:10 julsssark

@julsssark don't be sorry, I'm just moving it here because I expect it's a kernel thing. I was able to reproduce it, but givenour current busy schedule a fix might take a bit of time to mature. You can revert the kernel to the previous one with opnsense-update -kr 24.7.5 by the way.

AdSchellevis avatar Oct 14 '24 17:10 AdSchellevis

Thanks @AdSchellevis. OPNsense is awesome and I want to help out.

julsssark avatar Oct 14 '24 18:10 julsssark

I'll chime in here, I can confirm now that revert of kernel to 24.7.5 fixes problems in live log.

Log entries started to look normal after revert, also there are no more ipv4 tcp entries in log with IPv6 RFC4890 requirements (ICMP) label. For some screenshots please see https://forum.opnsense.org/index.php?topic=43357.msg215621 If you need anyhthing else or have something to test upfront release, i'm happy to help.

marunjar avatar Oct 14 '24 19:10 marunjar

Still Present on 24.7.8

awptechnologies avatar Nov 11 '24 19:11 awptechnologies

Yep.

fichtner avatar Nov 11 '24 20:11 fichtner

for cross reference and some more screenshots:

opnsense forum post

spacerunner5 avatar Nov 20 '24 10:11 spacerunner5

I think found the regression in an upstream commit pulled in at the same time for 24.7.6 for mildly related reasons...

# opnsense-update -zkr 24.7.8-nat
# opnsense-shell reboot

A quick confirm would be appreciated.

Cheers, Franco

fichtner avatar Nov 26 '24 09:11 fichtner

I think found the regression in an upstream commit pulled in at the same time for 24.7.6 for mildly related reasons...

# opnsense-update -zkr 24.7.8-nat
# opnsense-shell reboot

A quick confirm would be appreciated.

Cheers, Franco

confirmed working. NAT states are "back and blue" again in the FW->LiveView, labeled "nat rule" with this patch.

@Franco: Although I created a manual nat rule and added a description, it's still labeled "nat rule" in the FW->liveView. Is this expected / on purpose? If expected, could that be changed?

spacerunner5 avatar Nov 26 '24 11:11 spacerunner5

@spacerunner5 'rdr' 'nat' and 'binat' all are referred to as NAT rules, yes. NAT rules also do not support labels (not sure if this changed in FreeBSD 14 but I would be surprised if it had). The internals are a bit complicated. :)

fichtner avatar Nov 26 '24 11:11 fichtner

(thanks for testing, closing from here but will push a fix and test case to FreeBSD)

fichtner avatar Nov 26 '24 11:11 fichtner

just one more question - sorry to add noise after closing: Before updating to test I did a snapshot and now rolled it back. Is it correct that the base system shows 24.7.8 although opnsense 24.7.9_1 is installed (confusing)?

spacerunner5 avatar Nov 26 '24 12:11 spacerunner5

Yes, we do not always release a new base/kernel, because if nothing changed a reboot is avoided and about 150 MB of download and associated disk churn as well.

fichtner avatar Nov 26 '24 12:11 fichtner

thanks Franco

spacerunner5 avatar Nov 26 '24 12:11 spacerunner5

Thank you Franco and team! I applied the patch and the beautiful blue RDRs are back and my associated pass rule is there with the rule label.

julsssark avatar Nov 26 '24 15:11 julsssark

Nice to hear. The fix will officially ship in 24.7.10 next week.

Cheers, Franco

fichtner avatar Nov 26 '24 16:11 fichtner

Nice job guys works like a charm

awptechnologies avatar Nov 26 '24 16:11 awptechnologies

Is it possible for router software to bring joy? I say yes.

julsssark avatar Nov 26 '24 17:11 julsssark

FWIW, upstream review https://reviews.freebsd.org/D47777

fichtner avatar Nov 27 '24 09:11 fichtner