OPNsense 21.7.2-amd64: firewall rules order garbled

[blblblb]

I upgraded to OPNsense 21.7.2-amd64 today. Several rulesets/interfaces have their rules order garbled. This has caused major issues. ex. reject * moved from end/final rule position to somewhere in the middle or higher.

Anyone else experienced this with the update or before?

[blblblb]

This manifests when adding a new rule too. The block rules are moved elsewhere.
Edit: when saving, the order is shuffled.

[rico3]

Confirm, same problem here after upgrade to 21.7.2
I can restore settings using a XML configuration backup, but when touching any firewall rule the order of rules gets mixed up on all on all interface not just the one being modified.

[franco]

Could this be https://github.com/opnsense/core/commit/5993751b74 ?

# opnsense-patch 5993751b74


Cheers,
Franco

[blblblb]

I just had a brain stroke when I read that patch and realize it happens in all interfaces...
Jesus. This might be the worst one yet. Time to check which backup has the right config.
Wish me luck!

[franco]

Is that a confirm on the patch or a random rant?

I will prep a hotfix right away if this is confirmed. Looks like we will have to blacklist that contributor now...


Cheers,
Franco

[franco]

FWIW, either my rules were already botched or I can't see the impact in my ruleset when I save a rule to invoke that sorting code. The patch - or rather - the sorting code is pretty weird by itself so if anyone has a configuration diff to share for rule reordering that would be great.


Thanks,
Franco

[Mondmann]

@franco
Thanks for providing the fix so quickly:
# opnsense-patch 5993751b74
this has solved the above mentioned problem.
(and no one resents anything especially since the forum
helps at any time )
we are just happy that all developers,
Suporter and helpers so you are there for us...


Greetings from Germany

[blblblb]

Is that a confirm on the patch or a random rant?

I will prep a hotfix right away if this is confirmed. Looks like we will have to blacklist that contributor now...


Cheers,
Franco

Never an ill intentioned rant, I don't get to complain about something that is free despite the effort it takes to develop this. And certainly not the kind to make a petty joke.

I genuinely worried this messed up the rules in a system that has *many* of them in specific order (more OCD of my own) to optimize the traffic and keep things sane.

But: I can confirm that this fixes it, or so it seems. The behavior was as follows (I cannot revert/change things up in this system and I dont have a test VM handy):

- Pick any interface
- Go to its ruleset
- Add or modify any rule, make sure you have some already, and one or two blocking rules.
- Save
- The order of the rules should be different now.
- Check a different interface, and the same situation applies.

[franco]

No worries, I was just trying to ask for confirmation in a weird way.

So I reverted the patch and published 21.7.2_1 and will look more closely at it later today.


Cheers,
Franco

[Greelan]

No doubt you will figure it out Franco, but it is perhaps understandable the original contributor thought a change was necessary given lines 75 and 77 have the same condition, making 77 and 78 redundant . It just seems they picked the wrong thing to change…

[franco]

Right, that's certainly why it was accepted in the first place, but likely it should have not.


Cheers,
Franco

[Greelan]

The joys (perils) of open source

[madj42]

Even though I already think I know the answer to this, I feel I need to ask.  I'm assuming that if we upgraded to this but didn't modify any firewall rules, we're not affected by this bug?

[franco]

Under the assumption that you can still find a mirror with the wrong version active... yes.


Cheers,
Franco