OPNsense 21.7.2-amd64: firewall rules order garbled

Started by blblblb, September 07, 2021, 06:57:34 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
September 08, 2021, 03:57:50 PM #15
Just want to say that I had the same failure and after upgrading to 21.7.2_1 + restoring the Backup it is fixed!
Thank you very much.
September 08, 2021, 05:58:08 PM #16
Quote from: madj42 on September 08, 2021, 01:46:33 PM
Even though I already think I know the answer to this, I feel I need to ask.  I'm assuming that if we upgraded to this but didn't modify any firewall rules, we're not affected by this bug?

I would also like to have an answer to this. I am wondering exactly the same thing. I upgraded yesterday to the 21.7.2 release but did not change any firewall rules. My assumption is that I am not affected and I have double-checked and tested the firewall rules and they seem to be fine. However, still have a little bit annoying feeling.  :-\

My assumption is that to be affected, you specifically needed to modify and save the rules. Is this correct?

Thank you franco and all for the fast hotfix release! Great job again! Nice release anyway, so many upgrades without any issues :)
September 08, 2021, 09:53:47 PM #17
@All - Requests when the error occurs

This error would only occur with rule changes
in the firewall! > With only update to 21.7.2 and reboot
there are no problems.

Since there is a fix since today thanks to the diligent, this should also be triggered
should be triggered.
The version number changes to OPNsense 21.7.2_1-amd64.

In case it was too late for some of you, you can use Putty ssh
on the cli point: 13 to select a restore point.

Greetings from Germany
OPNsense 22.7.9*WG-kmod*OpenSSL*OpenVPN* AdGuardHome*i7-7700*32GB*256SSD*ix0-1, igb0-4, em0*OpenVPN+Wireguard WG0, WG1*NetGear ProSafe XS508*AP Netgear WAX610*alles echtes Blech* Sorry, my English is translated via app*
September 09, 2021, 09:30:28 AM #18
This comparator seems pretty weird to me, and it certainly wasn't correct to begin with.

As far as I understand it, it sorts floating to front, inside interfaces (and floating) in seq order, and then sorts wan and lan before all other interfaces, after that interfaces in alphabetial order. Not to mention that one of the paths is never reached at line 77.

So why does it sort lan and wan to front after floating? I imagine many users don't even have lan and wan interfaces any more.

Anyway lucky me that my ruleset does not depend on ordering.
September 09, 2021, 10:06:26 AM #19
I think it was trying to enforce that "wan" comes before "lan", which isn't natural ordering.

Here is the commit adding it in 2016 with the duplicated if branch:

https://github.com/opnsense/core/commit/26a6680224d34


Cheers,
Franco
September 09, 2021, 10:27:58 AM #20
I'm interested in the plan moving forward on this. Is the plan now just to leave the file as it is currently, after the hotfix, or is the intention to review all of the file to verify it is otherwise behaving as it should? There are some suggestions in the comments here that perhaps some aspects are not logical? I'd have thought that correct ordering of fw rules is pretty important, at least if people are assuming (based on the docs) that it is
September 09, 2021, 10:42:55 AM #21
https://github.com/opnsense/core/commit/002d7637bd

I don't see a lot of potential for further changes.


Cheers,
Franco
September 09, 2021, 05:05:12 PM #22
If it were me, I would dislike the comparison of interface names to strings.
It's undocumented functionality, imo it's doubtful if it's necessary at all, and if you delete and recreate those interfaces they get optXX names and the code is useless anyway.
Print
Go Up Pages 1 2
User actions