Project

General

Profile

Actions

Bug #14705

closed

Changes in Ethernet ruleset can lead to incorrect rule and separator order

Added by Jonathan Lee 11 months ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Release Notes:
Default
Affected Plus Version:
23.05.1
Affected Architecture:
All

Description

Hello fellow pfSense Redmine community members,

I noticed after the recent software update to 23.05.1 that issues started to occur on my 2100 within the access control lists. This bug only occurs when rules are changed when I have separators in use which, results in a bug. That bug is the re-ordering of both layer 2 and the firewall’s user based ACL rulesets into a random order.
The ruleset is randomized, as well as the experimental layer 2 rules. I have confirmed the fix for this is to remove my custom separators (labels). After their removal editing rules can be done without a randomized rule order event.

I have explored this with Netgate forum however not many other users use rule separators and layer 2 experimental rule.

Ref:
https://forum.netgate.com/topic/182360/acl-access-control-list-rule-order-issue

for detailed researching of issue.

I do not know if this is a one off or something else.

What I expect to happen is that order of the rules stay the same and if I add a rule the rules just move down one, not a complete randomized change in the order of the rules I have in place already before.


Files

1692770826241-screenshot-2023-08-22-at-11.03.36-pm.png (306 KB) 1692770826241-screenshot-2023-08-22-at-11.03.36-pm.png Before Jonathan Lee, 08/23/2023 05:14 PM
1692770854565-screenshot-2023-08-22-at-11.04.15-pm.png (264 KB) 1692770854565-screenshot-2023-08-22-at-11.04.15-pm.png Rule change Jonathan Lee, 08/23/2023 05:15 PM
after.png (318 KB) after.png Rules went into randomized order Jonathan Lee, 08/23/2023 05:15 PM
afterlayer2.png (49.5 KB) afterlayer2.png Layer 2 rules reorder also Jonathan Lee, 08/23/2023 05:15 PM
Actions #1

Updated by Jim Pingle 11 months ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from Rules / NAT to Rules / NAT
  • Status changed from New to Duplicate
  • Affected Plus Version deleted (23.05.1)

Most likely a duplicate of #14691 or #14619

Actions #2

Updated by Jonathan Lee 11 months ago

For mine the rules are randomizing. I have some rules that jump to the middle and or end of the rule list.

Actions #3

Updated by Marcos M 11 months ago

  • Status changed from Duplicate to Rejected
  • Affected Architecture deleted (SG-2100)

I can only replicate this if I change the config while editing a rule. This is known behavior that is due to the index being "cached" while an entry is being edited.

Actions #4

Updated by Jonathan Lee 11 months ago

Thanks for looking into this. I am not changing the firewall configuration only the firewall rule when this occurs. Likewise I also use layer 2 Ethernet filtering rules. It does work correctly with no separators.

Actions #5

Updated by Marcos M 11 months ago

I was not able to replicate it (including with Ethernet rules, etc). If you can replicate this on a default install/config, please provide the exact steps to do so.

Actions #6

Updated by Marcos M 9 months ago

  • Project changed from pfSense to pfSense Plus
  • Subject changed from Possible Firewall ACL Separator Issues Causing rule to reorder into random order. to Changes in Ethernet ruleset can lead to incorrect rule and separator order
  • Category changed from Rules / NAT to Rules / NAT
  • Status changed from Rejected to Feedback
  • Assignee set to Marcos M
  • Target version set to 23.09
  • % Done changed from 0 to 100
  • Affected Plus Version set to 23.05.1
  • Affected Architecture All added

I was finally able to replicate this issue fairly consistently (albeit not every single time). A fix is now in place for 23.09 which resolves the behavior I could reproduce. Additionally, I did regression testing for #14856, #14619, and #9887 which were all successful.

If you're currently having the issue, the Ethernet rules specifically may need to be recreated/reordered after updating to 23.09 depending on the state of the rules index.

Actions #7

Updated by Jonathan Lee 9 months ago

Thanks for looking into this

Actions #8

Updated by Jim Pingle 9 months ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF