Bug #14705
closed
Changes in Ethernet ruleset can lead to incorrect rule and separator order
100%
Description
Hello fellow pfSense Redmine community members,
I noticed after the recent software update to 23.05.1 that issues started to occur on my 2100 within the access control lists. This bug only occurs when rules are changed when I have separators in use which, results in a bug. That bug is the re-ordering of both layer 2 and the firewall’s user based ACL rulesets into a random order.
The ruleset is randomized, as well as the experimental layer 2 rules. I have confirmed the fix for this is to remove my custom separators (labels). After their removal editing rules can be done without a randomized rule order event.
I have explored this with Netgate forum however not many other users use rule separators and layer 2 experimental rule.
Ref:
https://forum.netgate.com/topic/182360/acl-access-control-list-rule-order-issue
for detailed researching of issue.
I do not know if this is a one off or something else.
What I expect to happen is that order of the rules stay the same and if I add a rule the rules just move down one, not a complete randomized change in the order of the rules I have in place already before.
Files
| 1692770826241-screenshot-2023-08-22-at-11.03.36-pm.png (306 KB) 1692770826241-screenshot-2023-08-22-at-11.03.36-pm.png | Before | ||
| 1692770854565-screenshot-2023-08-22-at-11.04.15-pm.png (264 KB) 1692770854565-screenshot-2023-08-22-at-11.04.15-pm.png | Rule change | ||
| after.png (318 KB) after.png | Rules went into randomized order | ||
| afterlayer2.png (49.5 KB) afterlayer2.png | Layer 2 rules reorder also |
Updated by Jim Pingle over 1 year ago
- Project changed from pfSense Plus to pfSense
- Category changed from Rules / NAT to Rules / NAT
- Status changed from New to Duplicate
- Affected Plus Version deleted (
23.05.1)
Updated by Jonathan Lee over 1 year ago
For mine the rules are randomizing. I have some rules that jump to the middle and or end of the rule list.
Updated by Marcos M over 1 year ago
- Status changed from Duplicate to Rejected
- Affected Architecture deleted (
SG-2100)
I can only replicate this if I change the config while editing a rule. This is known behavior that is due to the index being "cached" while an entry is being edited.
Updated by Jonathan Lee over 1 year ago
Thanks for looking into this. I am not changing the firewall configuration only the firewall rule when this occurs. Likewise I also use layer 2 Ethernet filtering rules. It does work correctly with no separators.
Updated by Marcos M over 1 year ago
I was not able to replicate it (including with Ethernet rules, etc). If you can replicate this on a default install/config, please provide the exact steps to do so.
Updated by Marcos M about 1 year ago
- Project changed from pfSense to pfSense Plus
- Subject changed from Possible Firewall ACL Separator Issues Causing rule to reorder into random order. to Changes in Ethernet ruleset can lead to incorrect rule and separator order
- Category changed from Rules / NAT to Rules / NAT
- Status changed from Rejected to Feedback
- Assignee set to Marcos M
- Target version set to 23.09
- % Done changed from 0 to 100
- Affected Plus Version set to 23.05.1
- Affected Architecture All added
I was finally able to replicate this issue fairly consistently (albeit not every single time). A fix is now in place for 23.09 which resolves the behavior I could reproduce. Additionally, I did regression testing for #14856, #14619, and #9887 which were all successful.
If you're currently having the issue, the Ethernet rules specifically may need to be recreated/reordered after updating to 23.09 depending on the state of the rules index.