pfSense

If one tries to delete an alias used in a firewall rule, the attempt is denied. However if the alias is only used/nested inside another alias, the deletion is allowed.

As a side effect, the result is unexpected, sometimes resulting in incomplete/invalid/empty aliases, or a "parent" alias that still contains the deleted alias' IPs.

From my personal testing:

• a = a1,a2
• a1 = 1.1.1.1
• a2 = 2.2.2.2

Create a WAN rule to block any from source a.

If I delete a2 and do a filter reload:

• Firewall > Aliases shows (a=a1,a2) and (a1=1.1.1.1)
• Firewall > Aliases does not list a2
• Diagnostics > Tables shows (a=1.1.1.1, 2.2.2.2) (including the deleted alias)
• I notice no errors on the filter reload page

I then tried to start over. If I simply recreate a2, and apply, I end up with:

• alias a=a1,a2 (still)
• Diagnostics > Tables shows (a=2.2.2.2 only) (1.1.1.1 is missing)
• a filter reload does not change a

Also note if an upper case "sub-alias" is deleted it changes to lower case in the "parent alias" list ("A1, a2"). If "A2" is recreated the parent alias changes back to upper case again ("A1,A2").

Forum thread: https://forum.netgate.com/topic/200390/bug-when-deleting-nested-aliasses
See thread for other examples.

OP was using CE 2.8.1. I tested on 26.03 RC on a 2100. OP also found different symptoms from what I experienced but performed a slightly different test.