Aliases ignored in rules since 23.7.8_1/3.0.12

[newsense]

Hi Franco,

Here's an example taken from one of the FWs I moved on to 3.0.12 which hasn't been otherwise modified in a long time other than regular patching.

I already had he alias created or a while, just moved it now at the top and added the explicit deny right after.

Verified in conf.xml the alias_uuid matches in both rule and alias sections, aliases are enabled and no other "garbage" appears to be present in the configuration.



As you can see in the screenshot, the rules are simple and the two running pings fail - so the alias is somehow ignored

1. Allow ICMP to Alias (1.1.1.1, 8.8.8.8 and 9.9.9.9)
2. Deny ICMP


The firewalls are now on OPNsense 23.7.8_14. 

I'll be back shortly after I deploy a fresh VM and try o reproduce it there on stock 23.7 fully updated.

[doktornotor]

3.0.12 of what?

[newsense]

OpenSSL 3.0.12

[doktornotor]

Hmm, I don't think OpenSSL is relevant in any way for aliases, unless you are trying to fetch them from https url perhaps.

[newsense]

Nope, as you can see in the screenshot they're IPs.

I'm mentioning OpenSSL for clarity so Franco doesn't have to guess if we're talking about a stock OPNsense or what's now in snapshots.

[neptunus]

Could you share a

Code: [Select]

/tmp/rules.debug

See https://github.com/opnsense/core/issues/7017 why I'm asking. I got a good hint from @AdSchellevis

I haven't quite figured it out yet either. I have this issue with Aliases type Port(s)

[seed]

might be related with:

https://forum.opnsense.org/index.php?topic=36967.msg180814#msg180814

[newsense]

This issue is exclusive to the snapshot branch that is currently testing OpenSSL 3.0, production 23.7 is not affected.


This is the error that is affecting the alias tables and the native backend in DynDNS. For DynDNS a workaround is to solution is change the backend to ddclient.

Code: [Select]

    from lib.alias import AliasParser
  File "/usr/local/opnsense/scripts/filter/lib/__init__.py", line 27, in <module>
    import dns.resolver
  File "/usr/local/lib/python3.9/site-packages/dns/resolver.py", line 30, in <module>
    import dns._ddr
  File "/usr/local/lib/python3.9/site-packages/dns/_ddr.py", line 12, in <module>
    import dns.nameserver
  File "/usr/local/lib/python3.9/site-packages/dns/nameserver.py", line 5, in <module>
    import dns.asyncquery
  File "/usr/local/lib/python3.9/site-packages/dns/asyncquery.py", line 32, in <module>
    import dns.quic
  File "/usr/local/lib/python3.9/site-packages/dns/quic/__init__.py", line 4, in <module>
    import aioquic.quic.configuration  # type: ignore
  File "/usr/local/lib/python3.9/site-packages/aioquic/quic/configuration.py", line 6, in <module>
    from ..tls import (
  File "/usr/local/lib/python3.9/site-packages/aioquic/tls.py", line 24, in <module>
    import service_identity
  File "/usr/local/lib/python3.9/site-packages/service_identity/__init__.py", line 6, in <module>
    from . import cryptography, hazmat, pyopenssl
  File "/usr/local/lib/python3.9/site-packages/service_identity/pyopenssl.py", line 32, in <module>
    from OpenSSL.crypto import X509
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import SSL, crypto
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/SSL.py", line 9, in <module>
    from OpenSSL._util import (
  File "/usr/local/lib/python3.9/site-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 167, in <module>
    Binding.init_static_locks()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 134, in init_static_locks
    cls._ensure_ffi_initialized()
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 123, in _ensure_ffi_initialized
    _legacy_provider_error(cls._legacy_provider_loaded)
  File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _legacy_provider_error
    raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY.