Auto Generated Rules pull down will not open on LAN interfaces

[IsaacFL]

Since the update to 23.7, in Firewall: Rules: for any of the LAN interfaces, the pull down for the "Automatically generated rules" will not open and shows an excess (43) number of rules.

The WAN interface does not have this issue, and it shows a more reasonable 25 rules. When I count them it is 25.


When I look at Floating rules, the Automatically generated rules shows 16 and it will open the pull down.

I have a Interface Group, and the Automatically generated rules shows 34 rules, but when I click the pull down there only 16, same as the Floating rules.

[newsense]

Sounds like a browser/browser extension issue

[IsaacFL]

No it does not seem to be browser specific.

I tried on Windows 10 desktop Firefox, removed all extensions.
Same with MS Edge

Also tried Safari on iPad.

They all have the same issue.

[newsense]

This is weird, but I cannot reproduce. Did you try a reboot ?

[IsaacFL]

I have done multiple reboots since I first noticed it. I updated to 23.7 on day of release and noticed it right away. Just haven't had chance to look at until now.

Funny thing, is I downloaded rules.debug from prior to update and compared to now and it is basically the same.  Just some minor changes I had done post update.

The only thing I can think was prior to update I removed the openVPN server, since I plan to change to Wireguard at some point. I notice that the OpenVPN in the interfaces are gone, but there is still an OpenVPN item in firewall rules section with no rules, but autogenerate section there. I'm wondering if there is some part of it left causing issue.

[newsense]

You could try downloading the config file, make a copy and edit out the remaining OpenVPN bits, then import the edited file and see if that fixes it.

WinMerge is your friend here, so it's worth a shot.

[IsaacFL]

I just finished removing vestiges of openvpn in the config file and all vestiges does seem to be gone. But sure that is the issue.

It is almost like the pull down is getting the wrong count and that is messing up the actual display when it is saying 43 but there only 16 for it to display so it gives up?

For instance I have group with rules, and its count is 34 and it will open so maybe there is an upper limit between 34 and 43?  Here is a screenshot of the Group open and you count 16 auto generated rules, so it has the wrong count.

[IsaacFL]

You could try downloading the config file, make a copy and edit out the remaining OpenVPN bits, then import the edited file and see if that fixes it.

WinMerge is your friend here, so it's worth a shot.

I did a reinstall using the config.xml so new installation including format of disk.

After installing 23.7 the LAN interfaces auto rules do open and have the correct number of rules listed (25).  There is still something not right about the Group I have.  It says there is 34 rules, but only 16, same as before reinstall.

I then did the upgrade to 23.7.1_3 and now it is back to the same issue. It says there are 43 rules, and it will not open.

So it seems something happened in the update from initial 23.7 as downloaded and 23.7.1_3

OPNsense 23.7.1_3-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023



LAN rules, says there are 43 auto generated rules and it will not open

[newsense]

Try this

Code Select Expand

opnsense-patch 3f80ddb

https://github.com/opnsense/core/commit/3f80ddbe9e52466e760dcbf84ec187c973dc610f

[IsaacFL]

Try this

Code Select Expand

opnsense-patch 3f80ddb

https://github.com/opnsense/core/commit/3f80ddbe9e52466e760dcbf84ec187c973dc610f

I applied the patch, and it still shows lan having 43 rules and will not open. So patch did not fix and I rebooted too, just in case.

I didn't notice if this was the case before, but when I look at the auto generated rules in my Group, it is actually showing the group rules in the auto generated pull down. So in group rules are showing twice. Hence, the strange number 34.  So I have 18 rules I have written for my Group, plus the 16 that are actual auto generated which adds to 34.

So the group rules are being lumped in with the auto generated rules.
This is why the LAN rules are showing as 43. LAN interface has 25 auto generated rules, plus the 18 group rules which is 43. I am guessing that it trying to list the group rules on each rules auto section.

[newsense]

Can you expand on that group that seems to be causing the issues then ? If things work fine for a while then there's something changing that causes the issue.

[IsaacFL]

It seems that the group rules are being included on all of the lan interfaces as part of the auto generated rules.

The change was going from 23.7 to 23.7.1_3.

[IsaacFL]

Can you expand on that group that seems to be causing the issues then ? If things work fine for a while then there's something changing that causes the issue.

It was not working fine for awhile and then wasn't it was working fine.  Then I upgraded to 23.7.1_3 and then it no longer worked.

It seems that on the LAN interface of the Firewall rules, there should be an expandable list of the "Automatically generated rules"

Then, there will be an expandable list of "Floating rules"

Then, and here is where the problem is, there should be but it is missing and expandable List for Group Rules. Then the actual LAN rules follow.

Somehow instead of the Group rules getting an expandable tab, it is getting shoved into the Automatically generated rules" list.

When I look at the page source, it looks that the group section was a copy paste of the auto section

Here is the source for the Auto Section

Code Select Expand

                    <tr id="expand-internal-rules" class="expand_type is_collapsed" data-type="internal" style="display: none;">
                        <td><i class="fa fa-folder-o text-muted"></i></td>
                        <td></td>
                        <td class="view-info" colspan="2"> </td>
                        <td class="view-info hidden-xs hidden-sm" colspan="5"> </td>
                        <td colspan="2" class="view-stats hidden-xs hidden-sm"></td>
                        <td colspan="2" class="view-stats"></td>
                        <td class="view-info"></td>
                        <td>Automatically generated rules</td>
                        <td>
                            <button class="btn btn-default btn-xs" id="expand-internal">
                              <i class="fa fa-chevron-circle-down" aria-hidden="true"></i>
                              <span class="badge">
                                <span id="internal-rule-count"><span>
                              </span>
                            </button>
                        </td>
                    </tr>

Following that are rows for each auto rule.

Next Section is the Floating rules:

Code Select Expand

                   <tr id="expand-floating-rules" class="expand_type is_collapsed" data-type="floating" style="display: none;">
                        <td><i class="fa fa-folder-o text-muted"></i></td>
                        <td></td>
                        <td class="view-info" colspan="2"> </td>
                        <td class="view-info hidden-xs hidden-sm" colspan="5"> </td>
                        <td colspan="2" class="view-stats hidden-xs hidden-sm"></td>
                        <td colspan="2" class="view-stats"></td>
                        <td class="view-info"></td>
                        <td>Floating rules</td>
                        <td>
                            <button class="btn btn-default btn-xs" id="expand-floating">
                              <i class="fa fa-chevron-circle-down" aria-hidden="true"></i>
                              <span class="badge">
                                <span id="floating-rule-count"><span>
                              </span>
                            </button>
                        </td>
                    </tr>


After the Floating section is should be the group rule section, but it is a copy/paste of the Auto section.

Code Select Expand

<tr id="expand-internal-rules" class="expand_type is_collapsed" data-type="internal" style="display: none;">
                        <td><i class="fa fa-folder-o text-muted"></i></td>
                        <td></td>
                        <td class="view-info" colspan="2"> </td>
                        <td class="view-info hidden-xs hidden-sm" colspan="5"> </td>
                        <td colspan="2" class="view-stats hidden-xs hidden-sm"></td>
                        <td colspan="2" class="view-stats"></td>
                        <td class="view-info"></td>
                        <td>Automatically generated rules</td>
                        <td>
                            <button class="btn btn-default btn-xs" id="expand-internal">
                              <i class="fa fa-chevron-circle-down" aria-hidden="true"></i>
                              <span class="badge">
                                <span id="internal-rule-count"><span>
                              </span>
                            </button>
                        </td>
                    </tr>

I think it should be using a different id from the auto.  I think the copy paste and not having a unique id is what is breaking it.

i.e. Instead of id="expand-internal-rules"  it should have id="expand-group-rules" etc.

[IsaacFL]

I should clarify, that though I say it is LAN interface rules, it is really Interface members of the groups that have the issue. I can remove an interface from the group and it is good. Add back to the group and it has the issue again.

[IsaacFL]

I just updated to 23.7.2 and this problem is still there.