OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: blblblb on September 07, 2021, 06:57:34 pm

Title: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: blblblb on September 07, 2021, 06:57:34 pm
I upgraded to OPNsense 21.7.2-amd64 today. Several rulesets/interfaces have their rules order garbled. This has caused major issues. ex. reject * moved from end/final rule position to somewhere in the middle or higher.

Anyone else experienced this with the update or before?

Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: blblblb on September 07, 2021, 07:34:59 pm
This manifests when adding a new rule too. The block rules are moved elsewhere.
Edit: when saving, the order is shuffled.
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: rico3 on September 07, 2021, 08:31:06 pm
Confirm, same problem here after upgrade to 21.7.2
I can restore settings using a XML configuration backup, but when touching any firewall rule the order of rules gets mixed up on all on all interface not just the one being modified.
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: franco on September 07, 2021, 08:32:54 pm
Could this be https://github.com/opnsense/core/commit/5993751b74 ?

# opnsense-patch 5993751b74


Cheers,
Franco
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: blblblb on September 07, 2021, 08:40:18 pm
I just had a brain stroke when I read that patch and realize it happens in all interfaces...
Jesus. This might be the worst one yet. Time to check which backup has the right config.
Wish me luck!
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: franco on September 07, 2021, 08:58:25 pm
Is that a confirm on the patch or a random rant? :)

I will prep a hotfix right away if this is confirmed. Looks like we will have to blacklist that contributor now...


Cheers,
Franco
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: franco on September 07, 2021, 09:14:02 pm
FWIW, either my rules were already botched or I can't see the impact in my ruleset when I save a rule to invoke that sorting code. The patch - or rather - the sorting code is pretty weird by itself so if anyone has a configuration diff to share for rule reordering that would be great.


Thanks,
Franco
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: Mondmann on September 07, 2021, 10:11:22 pm
@franco
Thanks for providing the fix so quickly:
# opnsense-patch 5993751b74
this has solved the above mentioned problem.
(and no one resents anything especially since the forum
helps at any time )
we are just happy that all developers,
Suporter and helpers so you are there for us...


Greetings from Germany
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: blblblb on September 07, 2021, 10:27:54 pm
Is that a confirm on the patch or a random rant? :)

I will prep a hotfix right away if this is confirmed. Looks like we will have to blacklist that contributor now...


Cheers,
Franco

Never an ill intentioned rant, I don't get to complain about something that is free despite the effort it takes to develop this. And certainly not the kind to make a petty joke.

I genuinely worried this messed up the rules in a system that has *many* of them in specific order (more OCD of my own) to optimize the traffic and keep things sane.

But: I can confirm that this fixes it, or so it seems. The behavior was as follows (I cannot revert/change things up in this system and I dont have a test VM handy):

- Pick any interface
- Go to its ruleset
- Add or modify any rule, make sure you have some already, and one or two blocking rules.
- Save
- The order of the rules should be different now.
- Check a different interface, and the same situation applies.
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: franco on September 08, 2021, 08:47:59 am
No worries, I was just trying to ask for confirmation in a weird way. :)

So I reverted the patch and published 21.7.2_1 and will look more closely at it later today.


Cheers,
Franco
Title: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: Greelan on September 08, 2021, 11:22:42 am
No doubt you will figure it out Franco, but it is perhaps understandable the original contributor thought a change was necessary given lines 75 and 77 have the same condition, making 77 and 78 redundant . It just seems they picked the wrong thing to change…
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: franco on September 08, 2021, 11:48:41 am
Right, that's certainly why it was accepted in the first place, but likely it should have not.


Cheers,
Franco
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: Greelan on September 08, 2021, 11:57:04 am
The joys (perils) of open source
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: madj42 on September 08, 2021, 01:46:33 pm
Even though I already think I know the answer to this, I feel I need to ask.  I'm assuming that if we upgraded to this but didn't modify any firewall rules, we're not affected by this bug?
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: franco on September 08, 2021, 01:54:42 pm
Under the assumption that you can still find a mirror with the wrong version active... yes.


Cheers,
Franco
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: c-mu on September 08, 2021, 03:57:50 pm
Just want to say that I had the same failure and after upgrading to 21.7.2_1 + restoring the Backup it is fixed!
Thank you very much.
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: hfvk on September 08, 2021, 05:58:08 pm
Even though I already think I know the answer to this, I feel I need to ask.  I'm assuming that if we upgraded to this but didn't modify any firewall rules, we're not affected by this bug?

I would also like to have an answer to this. I am wondering exactly the same thing. I upgraded yesterday to the 21.7.2 release but did not change any firewall rules. My assumption is that I am not affected and I have double-checked and tested the firewall rules and they seem to be fine. However, still have a little bit annoying feeling.  :-\

My assumption is that to be affected, you specifically needed to modify and save the rules. Is this correct?

Thank you franco and all for the fast hotfix release! Great job again! Nice release anyway, so many upgrades without any issues :)
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: Mondmann on September 08, 2021, 09:53:47 pm
@All - Requests when the error occurs

This error would only occur with rule changes
in the firewall! > With only update to 21.7.2 and reboot
there are no problems.

Since there is a fix since today thanks to the diligent, this should also be triggered
should be triggered.
The version number changes to OPNsense 21.7.2_1-amd64.

In case it was too late for some of you, you can use Putty ssh
on the cli point: 13 to select a restore point.

Greetings from Germany
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: bimbar on September 09, 2021, 09:30:28 am
This comparator seems pretty weird to me, and it certainly wasn't correct to begin with.

As far as I understand it, it sorts floating to front, inside interfaces (and floating) in seq order, and then sorts wan and lan before all other interfaces, after that interfaces in alphabetial order. Not to mention that one of the paths is never reached at line 77.

So why does it sort lan and wan to front after floating? I imagine many users don't even have lan and wan interfaces any more.

Anyway lucky me that my ruleset does not depend on ordering.
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: franco on September 09, 2021, 10:06:26 am
I think it was trying to enforce that "wan" comes before "lan", which isn't natural ordering.

Here is the commit adding it in 2016 with the duplicated if branch:

https://github.com/opnsense/core/commit/26a6680224d34


Cheers,
Franco
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: Greelan on September 09, 2021, 10:27:58 am
I’m interested in the plan moving forward on this. Is the plan now just to leave the file as it is currently, after the hotfix, or is the intention to review all of the file to verify it is otherwise behaving as it should? There are some suggestions in the comments here that perhaps some aspects are not logical? I’d have thought that correct ordering of fw rules is pretty important, at least if people are assuming (based on the docs) that it is
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: franco on September 09, 2021, 10:42:55 am
https://github.com/opnsense/core/commit/002d7637bd

I don't see a lot of potential for further changes.


Cheers,
Franco
Title: Re: OPNsense 21.7.2-amd64: firewall rules order garbled
Post by: bimbar on September 09, 2021, 05:05:12 pm
If it were me, I would dislike the comparison of interface names to strings.
It's undocumented functionality, imo it's doubtful if it's necessary at all, and if you delete and recreate those interfaces they get optXX names and the code is useless anyway.