double "block all targeting port 0" Automatically generated rules on the WAN

Started by ryp43, November 09, 2023, 07:41:10 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 09, 2023, 07:41:10 AM
Hi!

I have noticed that there is a double "block all targeting port 0" Automatically generated rules on the WAN interface - OPNsense 23.7.7_3-amd64

   IPv4+6 TCP/UDP   *   *   *   *   *   *   *   block all targeting port 0   
     IPv4+6 TCP/UDP   *   *   *   *   *   *   *   block all targeting port 0

Might be a bug?
November 09, 2023, 07:47:16 AM #1
It's actually not double. It's from and to port 0, for IPv4 and IPv6. The GUI display is kinda suboptimal.

Code Select

block in log quick inet proto {tcp udp} from {any} port {0} to {any} label "7b5bdc64d7ae74be1932f6764a591da5" # block all targeting port 0
block in log quick inet6 proto {tcp udp} from {any} port {0} to {any} label "7b5bdc64d7ae74be1932f6764a591da5" # block all targeting port 0
block in log quick inet proto {tcp udp} from {any} to {any} port {0} label "ae69f581dc429e3484a65f8ecd63baa5" # block all targeting port 0
block in log quick inet6 proto {tcp udp} from {any} to {any} port {0} label "ae69f581dc429e3484a65f8ecd63baa5" # block all targeting port 0
November 09, 2023, 07:58:52 AM #2
Thank you!
November 09, 2023, 08:54:48 AM #3
This looks like one of those empty() issue where "0" is treated as "" but that is not what we want... let me fix that.


Cheers,
Franco
November 09, 2023, 09:08:18 AM #4
Ahh, better? :) https://github.com/opnsense/core/commit/a2d55c89394

# opnsense-patch a2d55c89394


Cheers,
Franco
November 09, 2023, 09:09:36 AM #5
Quote from: franco on November 09, 2023, 08:54:48 AM
This looks like one of those empty() issue where "0" is treated as "" but that is not what we want... let me fix that.

Astonishingly, someone has decided to re-implement the same stupid PHP design in JS. #SMH  ::)

https://github.com/vvmspace/empty-js
November 09, 2023, 09:15:26 AM #6
empty() has the clear advantage of acting like an evaluation and not caring about whatever you do inside if it fails. But, yes, the "0" handling is a clear disadvantage ever since isset() was nerfed to throw warnings on undefined array access... ;)
November 09, 2023, 09:18:35 AM #7 Last Edit: November 09, 2023, 09:26:26 AM by doktornotor
Other than that, I don't think the patch has changed anything in the GUI? The [s|d]port is still shown as * - at least looking at other interfaces than WAN. (That one still cannot be expanded for me.)
November 09, 2023, 09:31:41 AM #8
https://imgur.com/a/aNjfTqi looks good to me

I think manual rules may have the same issue but I'm too lazy ... pprint_port()
November 09, 2023, 09:41:38 AM #9
Well I am probably haunted... Even restarted the WebUI.

November 09, 2023, 11:41:52 AM #10
Applied twice with opnsense-patch? Second time reverts the patch.


Cheers,
Franco
November 09, 2023, 12:19:12 PM #11
Sometimes I'm a proper idiot. It needs both spots and I decided to ditch the other because the first mod wasn't working...

https://github.com/opnsense/core/commit/e37a47371823


Cheers,
Franco
November 09, 2023, 07:33:08 PM #12
No dice. I must be missing something.
November 09, 2023, 07:38:50 PM #13
You need both patches active. I totally missed this too.

But 23.7.8 has both patches anyway.


Cheers,
Franco
November 09, 2023, 07:55:52 PM #14
Well...

Code Select

# opnsense-patch a2d55c89394 && opnsense-patch e37a47371823
Fetched a2d55c89394 via https://github.com/opnsense/core
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From a2d55c8939489fedd714bdb70ac0e640c5911df5 Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Thu, 9 Nov 2023 09:06:50 +0100
|Subject: [PATCH] firewall: port can be zero in automatic rule, render
| accordingly
|
|PR: https://forum.opnsense.org/index.php?topic=36885.0
|---
| src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php | 4 ++--
| 1 file changed, 2 insertions(+), 2 deletions(-)
|
|diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
|index 1ddbef8a79..8ef346b7c3 100644
|--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
|+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
--------------------------
Patching file opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php using Plan A...
Hunk #1 succeeded at 329.
Hunk #2 succeeded at 355.
done
All patches have been applied successfully.  Have a nice day.
Fetched e37a47371823 via https://github.com/opnsense/core
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From e37a4737182314444539c0b83ccfd37fed4ab85f Mon Sep 17 00:00:00 2001
|From: Franco Fichtner <franco@opnsense.org>
|Date: Thu, 9 Nov 2023 12:17:46 +0100
|Subject: [PATCH] firewall: also patch this spot -.-
|
|---
| src/www/guiconfig.inc | 2 +-
| 1 file changed, 1 insertion(+), 1 deletion(-)
|
|diff --git a/src/www/guiconfig.inc b/src/www/guiconfig.inc
|index 7911fa1ab5..1fa010938d 100644
|--- a/src/www/guiconfig.inc
|+++ b/src/www/guiconfig.inc
--------------------------
Patching file www/guiconfig.inc using Plan A...
Hunk #1 succeeded at 340.
done
All patches have been applied successfully.  Have a nice day.
# configctl webgui restart
OK


Same result as the screenshot above. Nevermind. Not important enough to deal with this PHP nonsense.
Print
Go Up Pages1 2
User actions