Firewall: Settings: Advanced / syncookies - make stateless loopback rule conditional as a temporary solution and add a clear note about the state requirement. closes https://github.com/opnsense/core/issues/8008

2026-03-15 09:04:39 +00:00 · 2024-10-23 20:19:25 +02:00 · 2024-10-23 20:19:25 +02:00 · e7e7e57dc1
commit e7e7e57dc1
parent 2c4c5cf09b
2 changed files with 10 additions and 1 deletions
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@ -524,7 +524,12 @@ function filter_core_rules_system($fw, $defaults)
        }
    }
    // loopback. dont log internal communications
-    $fw->registerFilterRule(5, array('interface' => 'lo0', 'log' => false, 'descr' => 'pass loopback', 'statetype' => 'none'), $defaults['pass']);
+    if (!empty($config['system']['syncookies'])) {
+        /* temporary work-around, syncookies require states to avoid dropping traffic */
+        $fw->registerFilterRule(5, array('interface' => 'lo0', 'log' => false, 'descr' => 'pass loopback'), $defaults['pass']);
+    } else {
+        $fw->registerFilterRule(5, array('interface' => 'lo0', 'log' => false, 'descr' => 'pass loopback', 'statetype' => 'none'), $defaults['pass']);
+    }
    // out from this Firewall
    $fw->registerFilterRule(
        5,
--- a/src/www/system_advanced_firewall.php
+++ b/src/www/system_advanced_firewall.php
@ -786,6 +786,10 @@ include("head.inc");
                  </div>
                  <div class="hidden" data-for="help_for_syncookies">
                      <?=gettext("When syncookies are active, pf will answer each incoming TCP SYN with a syncookie SYNACK, without allocating any resources.");?>
+                      <br/>
+                      <strong>
+                      <?=gettext("NOTE: this feature does require all tcp rules to be state aware, issues are to be expected when creating stateless rules");?>
+                      </strong>
                  </div>
                </td>
              </tr>