When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong"
-
Well i'm running ZFS
I backed up my current config , and took a "Quick snapshot"
Then i applied the "patch number" to my 23.05-1 (no reboot/reroot)
If i have done it correctly (patching didn't give any errors), and the patch should function on 23.05-01 too , then it doesn't seem to fix the issue.
New copy rule, after patch is applied
IF Pre copy
..
..IF Post copy
Maybe the fix .. fixes "rule delete" ... and not "rule insert" ???
Again thank you for looking into this.
Now to ... Either revert the patch , or restore the "snapshot"
Well ... I played safe , and restored the snapshot
Worked excellent
/Bingo
-
Yes there have been a number of patches related to that. It may be a combination of them that results in incrementing the separator row correctly.
Let me see....
-
@stephenw10
Did you add/create/update a "redmine" somewhere ?
I can't see any updates in : 8a12728da23fc7cb654cec4a97670ef2b6dfb239I gotta learn how2 make a redmine (i have only ever done one)
/Bingo
-
@bingo600 said in When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong":
(i have only ever done one
So you have an account here.
Ones logged in :
-
I didn't create a redmine report for this because it's already fixed in 23.09.
I was trying to find the combination of commits that fixes it that might be applied to 23.05.1. There are a quite a few things though.
-
I was trying to find the combination of commits that fixes it that might be applied to 23.05.1. There are a quite a few things though.
That would be "super handy to get" ... thanx
The 23.09 patches didn't solve it on 23.05-1
I'm in the sumerhouse right now, but i might "upgrade" my home test pfS to 23.09 to verify that it's solved.
... My "immediate" gut feeling is that the 23.09 patches should be fixing it for 23.05-1 too (if solving my issue) .. But that's purely "speculations"Might be able to test tue/wed next week ...
/Bingo
-
@bingo600 said in When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong":
My "immediate" gut feeling is that the 23.09 patches should be fixing it for 23.05-1 too
Yes, I would expect that to be true since that's all in the run-time scripts. It's just finding exactly which commits are required to get the fix since there are many...
-
Yes, I would expect that to be true since that's all in the run-time scripts. It's just finding exactly which commits are required to get the fix since there are many...
So the 3..4 patches from the referred patchset isn't enough ?
I did apply that full set (the ID pulled the full patchfile)Btw ...
Seems like 23.09 is not in my current 23.05-1 "Upgrade lists" (I only have Current (23.05-1) & Previous (23.05)) , and snapshots are offline.I even have dug out my "cold spare" pfS here in the summerhose
Downloaded 2.7.0
And "bought" 4 new Plus keys, for my play boxes./Bingo
-
Just adding my experience to this thread.
I also added CloudFlare Tunnel block rules on my box (23.05.1) and used the copy function to add it to the other interfaces.
All the copied rules ended up at the bottom row in every interface (all interfaces have at least 7 basic rule rows and 6 separators). -
@mvikman said in When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong":
Just adding my experience to this thread.
I also added CloudFlare Tunnel block rules on my box (23.05.1) and used the copy function to add it to the other interfaces.
All the copied rules ended up at the bottom row in every interface (all interfaces have at least 7 basic rule rows and 6 separators).Thanx for chipping in.
I have "rarely seen" copied rules added to the bottom.
Mine end at the top line 90+ % of the time.I have no idea what is "controlling" where they end.
/Bingo
-
@bingo600
Manual page has a warning note on this btw.
Don't know if it's been there or added now.https://docs.netgate.com/pfsense/en/latest/firewall/rule-list-intro.html#copying-firewall-rules
"When copying rules to different interfaces, they may fall at the start or the end of the target interface rule list depending on the order of the interface rules in the configuration. Be prepared to reorder the rules on the target interface before applying changes." -
@mvikman said in When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong":
@bingo600
Manual page has a warning note on this btw.
Don't know if it's been there or added now.https://docs.netgate.com/pfsense/en/latest/firewall/rule-list-intro.html#copying-firewall-rules
"When copying rules to different interfaces, they may fall at the start or the end of the target interface rule list depending on the order of the interface rules in the configuration. Be prepared to reorder the rules on the target interface before applying changes."I don't hope this is the "Solution" for the problem, to have to reorder all the rules.
That would be "close to" unusable ....On some of my IF's i have 30+ rules.
If they would just add the new rule at the bottom, there would be nothing to "shift up" , and a "move" of the copied rule would be "easy".
Edit:
If the DOC has been changed (I don't think so)
Then it reminds me of the "Old IBM MVS Mainframe days" ...
We had a particular nasty BUG , that kept popping up .. In the end IBM just changed the DOC, to "don't do that" .... - Issue solved
/Bingo
-
Since the rule ordering is all-important in pfSense there will likely never be a perfect solution here. Keeping the separators in the correct place is relatively easy once you know where the new rule will go.
If all your interfaces have similar rules I would expect it to work. Otherwise adding the rule at the end of the table is probably safest. -
I would say that best might be that copied rule is always added as the last row as a disabled rule, then you can move it to correct position and enable it without accidentally compromising your rule set.
-
B bingo600 referenced this topic on
-
@marcosm
Saw you were active in : https://forum.netgate.com/post/1122028Regarding my rule copy/duplicate to another IF issue, in this thread.
Would : https://redmine.pfsense.org/issues/14691
Aka Patch: https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/26b97b650457ba98360b5648dd801fd0adb567a5Fix my issue on 23.05.1 ?
Can i apply it there ?What about : https://redmine.pfsense.org/issues/14619
Patch: https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/8a12728da23fc7cb654cec4a97670ef2b6dfb239Does that have to be applied first ??
I tried to make a snapshot , and apply : https://redmine.pfsense.org/issues/14619
That didn't solve my copy issue, so i reverted.But will the combo of the two do it ??
Thank you for your work
/Bingo
-
@bingo600 There are a few patches that would be needed in order to fully fix it. I'll see about adding this to the System Patches package. For now, here's the patch for CE/Plus with all of the fixes.
14619_14691_plus.patch
14619_14691_ce.patch -
@marcosm said in When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong":
@bingo600 There are a few patches that would be needed in order to fully fix it. I'll see about adding this to the System Patches package. For now, here's the patch for CE/Plus with all of the fixes.
14619_14691_plus.patch
14619_14691_ce.patchI made a snapshot , applied the plus patch and "Rerooted" the Box.
Then i copied a rule from one IF to another , and the Rule ended up at the bottom
That's fine by me THANK YOU Btw:
Is there any "Easy" explanation to when a copied rule eds up at the top or the bottom ??
On my box it seems a little random.Thank you for your support
/Bingo
-
With the patch, they should always be placed on the bottom when copying/moving to another interface.
