pfSense

The reason for this change is due to how WireGuard tunnels are created via early shell commands and the new cryptographic accelerator (IIMB) that was introduced in 23.05. The reordering was done to push early shell commands down after loading crypto modules and setting sysctls so that the desired crypto is in place before creating WireGuard tunnels.

WireGuard is not impacted by this change because we append `tun_` to each WireGuard interface name which takes advantage of a check here [1] that ensures these interfaces are ignored when checking for the interface mismatch condition.

I will revisit this and see if we can restore the original behavior, and what that means for WireGuard utilizing the new IIMB crypto when enabled.

[1] https://github.com/pfsense/pfsense/blob/217f42ec30a4008907ac6fbb65b7b2e0ebf51eb9/src/etc/inc/util.inc#LL2477C20-L2477C129

Thanks for the quick response, Christian. That makes complete sense to me. This makes me wonder if it's possible to update the logic of the is_interface_mismatch() function to determine if the interface is physical or virtual, instead of mostly relying on regex matching based on that interface's name that's happening now; perhaps by using something like pciconf -lv would work. I'm sure that's likely a can of worms though...

I suppose the easier option is to introduce more options to these shell commands so that the execution order is a bit more customizable.

Will continue to follow this issue to see what you all decide on.

Adding ngeth to the 'do not check' list doesn't seem like a bad option. That is always a virtual interface.

I'm also having this issue with the most recent upgrade. I switched to the new GUI supported 802.1x forwarding method temporarily (big thanks) but would prefer a solution that solved the ngeth0 interface assignment issue. Or if wpa_supplicant supports VLAN 0 than this issue would go away entirely.

I have now added ngeth interfaces to the list of ignored prefixes.

I will continue to investigate this regression.

Christian McDonald wrote in #note-6:

I have now added ngeth interfaces to the list of ignored prefixes.

I will continue to investigate this regression.

Thanks! Is there a patch we could use in the meantime?

You should be able to add the commit via system patches:
https://github.com/pfsense/pfsense/commit/c13bf6d4d174d77768d9090e97b3379835495356

Steve Wheeler wrote in #note-8:

You should be able to add the commit via system patches:
https://github.com/pfsense/pfsense/commit/c13bf6d4d174d77768d9090e97b3379835495356

Thanks! No differences between CE and Plus?

I tested it against 23.05. It's already in 2.7 snaps.

I've been running on a similar patch as well & have had no issues on 23.05. I'm not surprised that Git commit also cleanly applies to Plus, as that particular part of the code is the same.

Thanks! Patch applied and running perfectly!