https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-01-04T08:19:26ZpfSense bugtrackerpfSense Packages - Bug #13829: WG not removing interface rules from config even if "Keep Configuration" is unchecked before pkg removalhttps://redmine.pfsense.org/issues/13829?journal_id=649892023-01-04T08:19:26ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Not a Bug</i></li></ul><p>Interface rules are usually removed when removing an interface from assignments, which is a manual process and not part of a package configuration. You should be removing the WG interface from being assigned before removing the package, not relying on the package to do that. IMO, the WG package shouldn't touch firewall rules.</p>
<p>Removing the WG package does not unassign the interface either, so you'll end up with an interface error at some point after removing WG if you don't also remove the assignment.</p> pfSense Packages - Bug #13829: WG not removing interface rules from config even if "Keep Configuration" is unchecked before pkg removalhttps://redmine.pfsense.org/issues/13829?journal_id=649902023-01-04T08:53:11ZLoh Phat
<ul></ul><p>Jim Pingle wrote in <a href="#note-1">#note-1</a>:</p>
<blockquote>
<p>Interface rules are usually removed when removing an interface from assignments, which is a manual process and not part of a package configuration. You should be removing the WG interface from being assigned before removing the package, not relying on the package to do that. IMO, the WG package shouldn't touch firewall rules.</p>
<p>Removing the WG package does not unassign the interface either, so you'll end up with an interface error at some point after removing WG if you don't also remove the assignment.</p>
</blockquote>
<p>I understand your point. However from a user standpoint perhaps some reminder text in the WG settings page that any interface rules need to be removed BEFORE removing the package since the package removal prevents the rules from being deleted afterwards since the interface is no longer there -- the rules are in config limbo, unable to be accessed for deletion. It's a bit un-intuitive.</p> pfSense Packages - Bug #13829: WG not removing interface rules from config even if "Keep Configuration" is unchecked before pkg removalhttps://redmine.pfsense.org/issues/13829?journal_id=649922023-01-04T09:03:34ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Not a Bug</i> to <i>New</i></li></ul><p>Reading this again, perhaps I misunderstood. I was talking about assigned interfaces since you mentioned interfaces specifically, the group rules are different.</p>
<p>The package does manage the "WireGuard" interface <em>group</em>, and deleting the group does leave the rules orphaned, so that isn't as clear cut of a case as I was thinking.</p>
<p>That said, even if someone manually creates a group and rule (unrelated to WG), deleting a group does not remove rules created for the group, so the behavior is still consistent (though arguably incorrect).</p>
<p>Reopening this since there is a bit more to think about here.</p> pfSense Packages - Bug #13829: WG not removing interface rules from config even if "Keep Configuration" is unchecked before pkg removalhttps://redmine.pfsense.org/issues/13829?journal_id=649972023-01-04T10:27:44ZLoh Phat
<ul></ul><p>Jim Pingle wrote in <a href="#note-3">#note-3</a>:</p>
<blockquote>
<p>Reopening this since there is a bit more to think about here.</p>
</blockquote>
<p>Perhaps another checkbox in the WG settings below "Keep Settings upon package deletion" called "Keep any WireGuard i/f rules upon package deletion" (also default checked).</p>
<p>That would allow the user to fully remove the package and any other config settings related to the i/f very easily in one step. If they want to just make WG go away, they'd uncheck both boxes and remove the package.</p>