Bug #13829
open
WG not removing interface rules from config even if "Keep Configuration" is unchecked before pkg removal
Added by Loh Phat over 1 year ago.
Updated over 1 year ago.
Description
In the pfsense (22.05) config.xml there was a section of rules for the "WireGuard" package i/f. I had tried the package a few months ago but abandoned the effort and removed the package.
So I reinstalled the package so that I could uncheck the "Keep Configuration", since I figured that was why the config entries are still there. I did that and re-deleted the WG package but the i/f config details are STILL in the config.
Here are two of the six rule entries for the now-deleted interface still stuck in the config after package uninstall (they all had the same tracking ID due to a now-fixed pfsense rule bug https://redmine.pfsense.org/issues/13507):
<rule>
<id/>
<tracker>1666565958</tracker>
<type>block</type>
<interface>WireGuard</interface>
<ipprotocol>inet</ipprotocol>
<tag/>
<tagged/>
<max/>
<max-src-nodes/>
<max-src-conn/>
<max-src-states/>
<statetimeout/>
<statetype>
<![CDATA[ keep state ]]>
</statetype>
<os/>
<source>
<any/>
</source>
<destination>
<network>lan</network>
</destination>
<descr>
<![CDATA[ NO access to LAN vlan ]]>
</descr>
<created>
<time>1620692436</time>
<username>
<![CDATA[ [REDACTED] (Local Database) ]]>
</username>
</created>
<updated>
<time>1620703184</time>
<username>
<![CDATA[ [REDACTED] (Local Database) ]]>
</username>
</updated>
</rule>
<rule>
<id/>
<tracker>1666565958</tracker>
<type>block</type>
<interface>WireGuard</interface>
<ipprotocol>inet</ipprotocol>
<tag/>
<tagged/>
<max/>
<max-src-nodes/>
<max-src-conn/>
<max-src-states/>
<statetimeout/>
<statetype>
<![CDATA[ keep state ]]>
</statetype>
<os/>
<source>
<any/>
</source>
<destination>
<network>opt3</network>
</destination>
<descr>
<![CDATA[ NO access to WIFI vlan ]]>
</descr>
<created>
<time>1620692468</time>
<username>
<![CDATA[ [REDACTED] (Local Database) ]]>
</username>
</created>
<updated>
<time>1620703170</time>
<username>
<![CDATA[ [REDACTED] (Local Database) ]]>
</username>
</updated>
</rule>
- Status changed from New to Not a Bug
Interface rules are usually removed when removing an interface from assignments, which is a manual process and not part of a package configuration. You should be removing the WG interface from being assigned before removing the package, not relying on the package to do that. IMO, the WG package shouldn't touch firewall rules.
Removing the WG package does not unassign the interface either, so you'll end up with an interface error at some point after removing WG if you don't also remove the assignment.
Jim Pingle wrote in #note-1:
Interface rules are usually removed when removing an interface from assignments, which is a manual process and not part of a package configuration. You should be removing the WG interface from being assigned before removing the package, not relying on the package to do that. IMO, the WG package shouldn't touch firewall rules.
Removing the WG package does not unassign the interface either, so you'll end up with an interface error at some point after removing WG if you don't also remove the assignment.
I understand your point. However from a user standpoint perhaps some reminder text in the WG settings page that any interface rules need to be removed BEFORE removing the package since the package removal prevents the rules from being deleted afterwards since the interface is no longer there -- the rules are in config limbo, unable to be accessed for deletion. It's a bit un-intuitive.
- Status changed from Not a Bug to New
Reading this again, perhaps I misunderstood. I was talking about assigned interfaces since you mentioned interfaces specifically, the group rules are different.
The package does manage the "WireGuard" interface group, and deleting the group does leave the rules orphaned, so that isn't as clear cut of a case as I was thinking.
That said, even if someone manually creates a group and rule (unrelated to WG), deleting a group does not remove rules created for the group, so the behavior is still consistent (though arguably incorrect).
Reopening this since there is a bit more to think about here.
Jim Pingle wrote in #note-3:
Reopening this since there is a bit more to think about here.
Perhaps another checkbox in the WG settings below "Keep Settings upon package deletion" called "Keep any WireGuard i/f rules upon package deletion" (also default checked).
That would allow the user to fully remove the package and any other config settings related to the i/f very easily in one step. If they want to just make WG go away, they'd uncheck both boxes and remove the package.
Also available in: Atom
PDF
Updated by 
Updated by