pfSense Support Subscription

Author Topic: Firewall rules added from GUI want to add 802.1p, which causes errors  (Read 3468 times)

0 Members and 1 Guest are viewing this topic.

Offline timthetortoise

  • Full Member
  • ***
  • Posts: 288
  • Karma: +9/-0
    • View Profile
Version:
2.1-BETA1 (i386)
built on Wed Apr 10 06:38:57 EDT 2013
FreeBSD 8.3-RELEASE-p7

To reproduce:
1. Add firewall rule. I can't find any options that don't have this behavior, so any combination of them should work. Don't select any advanced options
2. Save rule
3. Edit that rule. There are 802.1p options with "none." Once you apply, you get a notice like:

Code: [Select]
04-10-13 12:39:45 [ There were error(s) loading the rules: /tmp/rules.debug:166: invalid ieee8021q_pcp value none - The line in question reads [166]: block in quick on $GUESTNETWORK inet from x.x.x.x/x to y.y.y.y/y ieee8021q-pcp none ieee8021q-setpcp none label USER_RULE]
I can temporarily add rules via easyrule, but I'm not so sure these are even working as intended, as some inter-VLAN traffic that should be blocked (and was with 2.0.2) is passing with no problem. If there is already a fix for this, I'd appreciate a link. Thanks in advance!

Edit: the offending rules.debug line is:

Code: [Select]
block  in  quick  on $GUESTNETWORK inet proto tcp  from x.x.x.x/x to y.y.y.y/y  ieee8021q-pcp none  ieee8021q-setpcp none  label "USER_RULE"
Edit2: I've made a temporary workaround by modifying firewall_rules_edit.php:

Code: [Select]
   621                 if ($_POST['vlanprio'] != "" && $_POST['vlanprio'] != "none") {
    622                         $filterent['vlanprio'] = $_POST['vlanprio'];
    623                 }
    624                 if ($_POST['vlanprioset'] != "" && $_POST['vlanprioset'] != "none") {
    625                         $filterent['vlanprioset'] = $_POST['vlanprioset'];
    626                 }

I don't have a copy of 2.0.2 handy, but I'm assuming it's got to do with an array value (none) that was blank, but is now populated.

Edit3: lots of edits! Pretty sure the following is what was intended (again, firewall_rules_edit.php):

Code: [Select]
  1316                                         foreach($vlanprio as $vprio) {
   1317                                                 if ($vprio == $pconfig['vlanprio'])
   1318                                                         $selected = " selected=\"selected\"";
   1319                                                 else
   1320                                                         $selected = "";
   1321                                                 if ($vprio == "none")
   1322                                                         $opts .= "<option value=\"\">{$vprio}</option>\n";
   1323                                                 else
   1324                                                         $opts .= "<option value=\"{$vprio}\" {$selected}>" . strtoupper($vprio) . "</option>\n";
   1325                                         }

Original was:

Code: [Select]
  1316                                         foreach($vlanprio as $vprio) {
   1317                                                 if ($vprio == $pconfig['vlanprio'])
   1318                                                         $selected = " selected=\"selected\"";
   1319                                                 else
   1320                                                         $selected = "";
   1321                                                 if ($vprio == "none")
   1322                                                         $opts .= "<option value=\"{$vprio}\">{$vprio}</option>\n";
   1323                                                 else
   1324                                                         $opts .= "<option value=\"{$vprio}\" {$selected}>" . strtoupper($vprio) . "</option>\n";
   1325                                         }

So, it appears problem solved with that edit.
« Last Edit: April 10, 2013, 12:46:42 pm by timthetortoise »

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1872
  • Karma: +91/-0
    • View Profile
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #1 on: April 10, 2013, 03:22:11 pm »
Thanks for the catch. Found this on a fresh install using pfSense-memstick-2.1-BETA1-i386-20130410-0638.img.gz
Did the edit to line 1322 and it appears to be fixed.
Looks like a problem with this snapshot. I'm sure it's because I decided to grab the latest to load on a production box...

Offline Aderium

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
    • Aderium
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #2 on: April 11, 2013, 11:12:53 am »
Has this been fixed ? Updated to latest snapshot in 2.1 and now I get same issue

11:54:18   [ There were error(s) loading the rules: /tmp/rules.debug:466: invalid ieee8021q_pcp value none - The line in question reads [466]: pass in quick on $WAN reply-to ( bge1 208.73.1.1 ) inet proto tcp from any to $dss port 443 ieee8021q-pcp none ieee8021q-setpcp none flags S/SA keep state label USER_RULE: LB access]

Cant add in any rules
Anthony Palermo

Offline timthetortoise

  • Full Member
  • ***
  • Posts: 288
  • Karma: +9/-0
    • View Profile
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #3 on: April 11, 2013, 11:27:50 am »
Could you copy and paste your /usr/local/www/firewall_rules_edit.php file at line 1322? My revision got merged, but I'm not sure if it made it into the latest snapshot.

If it doesn't look like this:

Code: [Select]
$opts .= "<option value=\"\">{$vprio}</option>\n";
you should be able to edit it to that until it's in the next latest.
« Last Edit: April 11, 2013, 11:29:23 am by timthetortoise »

Offline Aderium

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
    • Aderium
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #4 on: April 11, 2013, 12:37:35 pm »
This is what I see in that line

$opts .= "<option value=\"\">{$vprio}</option>\n";
Anthony Palermo

Offline Aderium

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
    • Aderium
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #5 on: April 11, 2013, 12:38:52 pm »
I am not sure if it looks the same or not but I still get that error when creating new rules.

What else would you like to see ?
Anthony Palermo

Offline timthetortoise

  • Full Member
  • ***
  • Posts: 288
  • Karma: +9/-0
    • View Profile
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #6 on: April 11, 2013, 12:56:14 pm »
Are you sure that it's from new rules you're adding? I cannot reproduce this behavior with the edited code, but if rules created while this bug was in are still in use and haven't yet been re-saved, that may be where it's coming from. I'd recommend moving through your rules and making sure that the 802.1p section is not expanded anywhere you don't expect it to be.

A quick way to test if it's affecting new rules is to just create one and save it, then edit it immediately after. If the 802.1p section is expanded, weird stuff is afoot. If it's not, old rules are the culprit.
« Last Edit: April 11, 2013, 12:58:22 pm by timthetortoise »

Offline Aderium

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
    • Aderium
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #7 on: April 11, 2013, 03:03:16 pm »
Well,

Every time I add a rule I see this notification. Quiet frankly it looks like there are other things jammed up now. Which may go back to the rules being jammed while the bug is in. Some natting seems to not work correctly fo sure.
When was this issue introduced and can I update to a prior version ?
Anthony Palermo

Offline Aderium

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
    • Aderium
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #8 on: April 11, 2013, 03:10:30 pm »
I'd recommend moving through your rules and making sure that the 802.1p section is not expanded anywhere you don't expect it to be.

A quick way to test if it's affecting new rules is to just create one and save it, then edit it immediately after. If the 802.1p section is expanded, weird stuff is afoot. If it's not, old rules are the culprit.

Where is this section ? in the /usr/local/www/firewall_rules_edit.php Can you paste what it should look like ?

Anthony Palermo

Offline timthetortoise

  • Full Member
  • ***
  • Posts: 288
  • Karma: +9/-0
    • View Profile
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #9 on: April 11, 2013, 03:15:52 pm »
The relevant line you pasted is correct. Create a rule and save it. Now immediately edit that rule. If it looks like the one on the right, something weird is going on. If it looks like the one on the left, the notifications are from old rules reloading. You SHOULD be able to go into each of those rules and save them to get rid of the "none" value.


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20654
  • Karma: +1281/-17
    • View Profile
Re: Firewall rules added from GUI want to add 802.1p, which causes errors
« Reply #10 on: April 12, 2013, 10:22:29 am »
This should be fixed all-around in current snapshots. It will ignore the none if it's there and edit/save will remove it.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!