1
23.7 Legacy Series / Firewall rules delayed activation and clearing states with API
« on: January 23, 2024, 02:39:47 pm »
I am using the firewall plugin API (api/firewall/filter/addRule) to automatically create some firewall rules (e.g. basic blocking and allowing of certain IPs). I notice that these rules often take a while to work. For example, if I make a rule (LAN/IN) to block 8.8.8.8, I am still able to access it (ping 8.8.8.8 ) for 5-10 minutes after creating and applying the rule. I am also calling the '/apply' API call immediately after the call to create the firewall rule - but this does not help.
This has been pointed out before (https://forum.opnsense.org/index.php?topic=31995.0), and I am having a similar experience where the 'allow' rules are immediate, but the 'block' rules are delayed. This previous post suggests that we need to clear the state table. After further exploration of the APIs, I've found that the core diagnostics API (https://docs.opnsense.org/development/api/core/diagnostics.html) includes a 'flushState' call. If I follow up my create/apply with this call, then any block rules work as expected.
However, there are some issues with this. I am quite new to firewalls, so I'm not sure if there are any other unanticipated negative side effects to doing this flush. the bigger problem is that this flush seems to completely bring down the UI/API for about 10-15 seconds after it completes. The firewall still seems to work during this period, but if I make an API call immediately after the flush, it will fail. This is not ideal for my needs.
Ultimately I need a way to immediately apply a blocking firewall rule without bringing down the API. Some potential workarounds I've identified include queueing up any calls after the flush, batching any rule calls together and performing a single flush, or trying to target specific states to delete using the delState API call (rather than flushing ALL states). These may help the situation, but they all come with their own issues.
Any suggestions? Thank you!
This has been pointed out before (https://forum.opnsense.org/index.php?topic=31995.0), and I am having a similar experience where the 'allow' rules are immediate, but the 'block' rules are delayed. This previous post suggests that we need to clear the state table. After further exploration of the APIs, I've found that the core diagnostics API (https://docs.opnsense.org/development/api/core/diagnostics.html) includes a 'flushState' call. If I follow up my create/apply with this call, then any block rules work as expected.
However, there are some issues with this. I am quite new to firewalls, so I'm not sure if there are any other unanticipated negative side effects to doing this flush. the bigger problem is that this flush seems to completely bring down the UI/API for about 10-15 seconds after it completes. The firewall still seems to work during this period, but if I make an API call immediately after the flush, it will fail. This is not ideal for my needs.
Ultimately I need a way to immediately apply a blocking firewall rule without bringing down the API. Some potential workarounds I've identified include queueing up any calls after the flush, batching any rule calls together and performing a single flush, or trying to target specific states to delete using the delState API call (rather than flushing ALL states). These may help the situation, but they all come with their own issues.
Any suggestions? Thank you!