Bug(?): Filter rule not working with inverted destination and multiple selection

Started by Kaya, April 16, 2025, 09:43:04 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 16, 2025, 09:43:04 AM
Hi,

I have upgraded to the 25.4 business edition recently. One of the new features is the ability to perform a multi-selection for the source and destinations in the filter rules. I found that the logic is not working when the selection is inverted via the checkboxes "Source / Invert" or "Destination / Invert". At least, it is not working to my expectations.

For example, I have defined two network aliases a1 and a2. When I select both of them as the destination in a "allow" firewall rule, and also turn on "Destination / Invert", I would expect that traffic to both network aliases a1 and a2 will be blocked (assuming there is no other rule allowing the traffic). But this is not the case, only the traffic to one of the two networks seems to be blocked.

As a workaround, I simply created a new network group a3 containing both a1 and a2, and used that single group a3 instead of the multiple selection a1 and a2. This works as expected.

I think I remember having read that there was a limitation at a different place with inverting a selection or a range, but I cannot remember.

Is this behaviour of inverting a multiple selection a bug? Or is it working differently from my expectations?
April 16, 2025, 09:59:50 AM #1
Correct - when using source/destination invert you can have only one object or the results will be "surprising".

Could be called a bug - or a lack of documentation.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 16, 2025, 10:20:17 AM #2
There is no lack of documentation, it's described here in a note that describes this feature:

https://docs.opnsense.org/manual/how-tos/security-zones.html#create-security-zone-policies

QuoteThis single GUI rule will create a Cartesian product and result in six firewall rules in pf(4). Be mindful using inversions in rules or inverted aliases, since they can be generated in an order that creates an unexpected result.
Hardware:
DEC740
April 16, 2025, 10:20:50 AM #3
Expanding the rules into two separate rules makes the first one allow the traffic of the second one. I think we better prevent this via validation?!


Cheers,
Franco
April 16, 2025, 10:24:48 AM #4
Quote from: Monviech (Cedrik) on April 16, 2025, 10:20:17 AMThere is no lack of documentation, it's described here in a note that describes this feature:

https://docs.opnsense.org/manual/how-tos/security-zones.html#create-security-zone-policies

Thanks. I was checking the Firewall > Rules part of the docs and did not find anything expanding on the basic function of "invert". Maybe add a single sentence and a link in the table describing the rule options?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 16, 2025, 10:26:19 AM #5 Last Edit: April 16, 2025, 10:29:03 AM by Monviech (Cedrik)
Now that theres multi select it makes sense to update other parts of the documentation as well, I'll put it on my list.

https://github.com/opnsense/docs/issues/700
Hardware:
DEC740
April 16, 2025, 10:48:04 AM #6
Hardware:
DEC740
April 16, 2025, 10:58:38 AM #7
Hero! :-)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 16, 2025, 11:16:59 AM #8
Thanks for all your replies :) And thanks for creating a GitHub for adding a check and/or clarifying in the documentation.
Print
Go Up Pages1
User actions