I upgraded to OPNsense 21.7.2-amd64 today. Several rulesets/interfaces have their rules order garbled. This has caused major issues. ex. reject * moved from end/final rule position to somewhere in the middle or higher.
Anyone else experienced this with the update or before?
This manifests when adding a new rule too. The block rules are moved elsewhere.
Edit: when saving, the order is shuffled.
Confirm, same problem here after upgrade to 21.7.2
I can restore settings using a XML configuration backup, but when touching any firewall rule the order of rules gets mixed up on all on all interface not just the one being modified.
Could this be https://github.com/opnsense/core/commit/5993751b74 ?
# opnsense-patch 5993751b74
I just had a brain stroke when I read that patch and realize it happens in all interfaces...
Jesus. This might be the worst one yet. Time to check which backup has the right config.
Wish me luck!
Is that a confirm on the patch or a random rant? :)
I will prep a hotfix right away if this is confirmed. Looks like we will have to blacklist that contributor now...
FWIW, either my rules were already botched or I can't see the impact in my ruleset when I save a rule to invoke that sorting code. The patch - or rather - the sorting code is pretty weird by itself so if anyone has a configuration diff to share for rule reordering that would be great.
Thanks for providing the fix so quickly:
# opnsense-patch 5993751b74
this has solved the above mentioned problem.
Never an ill intentioned rant, I don't get to complain about something that is free despite the effort it takes to develop this. And certainly not the kind to make a petty joke.
I genuinely worried this messed up the rules in a system that has *many* of them in specific order (more OCD of my own) to optimize the traffic and keep things sane.
But: I can confirm that this fixes it, or so it seems. The behavior was as follows (I cannot revert/change things up in this system and I dont have a test VM handy):
- Pick any interface
- Go to its ruleset
- Add or modify any rule, make sure you have some already, and one or two blocking rules.
- Save
- The order of the rules should be different now.
- Check a different interface, and the same situation applies.
No worries, I was just trying to ask for confirmation in a weird way. :)
So I reverted the patch and published 21.7.2_1 and will look more closely at it later today.
No doubt you will figure it out Franco, but it is perhaps understandable the original contributor thought a change was necessary given lines 75 and 77 have the same condition, making 77 and 78 redundant [emoji2962]. It just seems they picked the wrong thing to change...
Right, that's certainly why it was accepted in the first place, but likely it should have not.
The joys (perils) of open source [emoji23]
Even though I already think I know the answer to this, I feel I need to ask. I'm assuming that if we upgraded to this but didn't modify any firewall rules, we're not affected by this bug?
Under the assumption that you can still find a mirror with the wrong version active... yes.
Just want to say that I had the same failure and after upgrading to 21.7.2_1 + restoring the Backup it is fixed!
Thank you very much.
I would also like to have an answer to this. I am wondering exactly the same thing. I upgraded yesterday to the 21.7.2 release but did not change any firewall rules. My assumption is that I am not affected and I have double-checked and tested the firewall rules and they seem to be fine. However, still have a little bit annoying feeling. :-\
My assumption is that to be affected, you specifically needed to modify and save the rules. Is this correct?
Thank you franco and all for the fast hotfix release! Great job again! Nice release anyway, so many upgrades without any issues :)
@All - Requests when the error occurs
This error would only occur with rule changes
in the firewall! > With only update to 21.7.2 and reboot
there are no problems.
Since there is a fix since today thanks to the diligent, this should also be triggered
should be triggered.
The version number changes to OPNsense 21.7.2_1-amd64.
In case it was too late for some of you, you can use Putty ssh
on the cli point: 13 to select a restore point.
Greetings from Germany
This comparator seems pretty weird to me, and it certainly wasn't correct to begin with.
As far as I understand it, it sorts floating to front, inside interfaces (and floating) in seq order, and then sorts wan and lan before all other interfaces, after that interfaces in alphabetial order. Not to mention that one of the paths is never reached at line 77.
So why does it sort lan and wan to front after floating? I imagine many users don't even have lan and wan interfaces any more.
Anyway lucky me that my ruleset does not depend on ordering.
I think it was trying to enforce that "wan" comes before "lan", which isn't natural ordering.
Here is the commit adding it in 2016 with the duplicated if branch:
I'm interested in the plan moving forward on this. Is the plan now just to leave the file as it is currently, after the hotfix, or is the intention to review all of the file to verify it is otherwise behaving as it should? There are some suggestions in the comments here that perhaps some aspects are not logical? I'd have thought that correct ordering of fw rules is pretty important, at least if people are assuming (based on the docs) that it is
I don't see a lot of potential for further changes.
If it were me, I would dislike the comparison of interface names to strings.
It's undocumented functionality, imo it's doubtful if it's necessary at all, and if you delete and recreate those interfaces they get optXX names and the code is useless anyway.