When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong"

mvikman

Just adding my experience to this thread.

I also added CloudFlare Tunnel block rules on my box (23.05.1) and used the copy function to add it to the other interfaces.
All the copied rules ended up at the bottom row in every interface (all interfaces have at least 7 basic rule rows and 6 separators).

bingo600

@mvikman said in When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong":

Just adding my experience to this thread.

I also added CloudFlare Tunnel block rules on my box (23.05.1) and used the copy function to add it to the other interfaces.
All the copied rules ended up at the bottom row in every interface (all interfaces have at least 7 basic rule rows and 6 separators).

Thanx for chipping in.

I have "rarely seen" copied rules added to the bottom.
Mine end at the top line 90+ % of the time.

I have no idea what is "controlling" where they end.

/Bingo

mvikman

@bingo600
Manual page has a warning note on this btw.
Don't know if it's been there or added now.

https://docs.netgate.com/pfsense/en/latest/firewall/rule-list-intro.html#copying-firewall-rules
"When copying rules to different interfaces, they may fall at the start or the end of the target interface rule list depending on the order of the interface rules in the configuration. Be prepared to reorder the rules on the target interface before applying changes."

bingo600

@mvikman said in When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong":

@bingo600
Manual page has a warning note on this btw.
Don't know if it's been there or added now.

https://docs.netgate.com/pfsense/en/latest/firewall/rule-list-intro.html#copying-firewall-rules
"When copying rules to different interfaces, they may fall at the start or the end of the target interface rule list depending on the order of the interface rules in the configuration. Be prepared to reorder the rules on the target interface before applying changes."

I don't hope this is the "Solution" for the problem, to have to reorder all the rules.
That would be "close to" unusable ....

On some of my IF's i have 30+ rules.

If they would just add the new rule at the bottom, there would be nothing to "shift up" , and a "move" of the copied rule would be "easy".

Edit:
If the DOC has been changed (I don't think so)
Then it reminds me of the "Old IBM MVS Mainframe days" ...
We had a particular nasty BUG , that kept popping up .. In the end IBM just changed the DOC, to "don't do that" .... - Issue solved

/Bingo

stephenw10

Since the rule ordering is all-important in pfSense there will likely never be a perfect solution here. Keeping the separators in the correct place is relatively easy once you know where the new rule will go.
If all your interfaces have similar rules I would expect it to work. Otherwise adding the rule at the end of the table is probably safest.

mvikman

I would say that best might be that copied rule is always added as the last row as a disabled rule, then you can move it to correct position and enable it without accidentally compromising your rule set.

bingo600

@marcosm
Saw you were active in : https://forum.netgate.com/post/1122028

Regarding my rule copy/duplicate to another IF issue, in this thread.

Would : https://redmine.pfsense.org/issues/14691
Aka Patch: https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/26b97b650457ba98360b5648dd801fd0adb567a5

Fix my issue on 23.05.1 ?
Can i apply it there ?

What about : https://redmine.pfsense.org/issues/14619
Patch: https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/8a12728da23fc7cb654cec4a97670ef2b6dfb239

Does that have to be applied first ??

I tried to make a snapshot , and apply : https://redmine.pfsense.org/issues/14619
That didn't solve my copy issue, so i reverted.

But will the combo of the two do it ??

Thank you for your work

/Bingo

marcosm

@bingo600 There are a few patches that would be needed in order to fully fix it. I'll see about adding this to the System Patches package. For now, here's the patch for CE/Plus with all of the fixes.
14619_14691_plus.patch
14619_14691_ce.patch

bingo600

@marcosm said in When copying a rule from one if to another, it seems like pfSense is reordering the rules "wrong":

@bingo600 There are a few patches that would be needed in order to fully fix it. I'll see about adding this to the System Patches package. For now, here's the patch for CE/Plus with all of the fixes.
14619_14691_plus.patch
14619_14691_ce.patch

I made a snapshot , applied the plus patch and "Rerooted" the Box.

Then i copied a rule from one IF to another , and the Rule ended up at the bottom
That's fine by me THANK YOU

Btw:
Is there any "Easy" explanation to when a copied rule eds up at the top or the bottom ??
On my box it seems a little random.

Thank you for your support

/Bingo

marcosm

With the patch, they should always be placed on the bottom when copying/moving to another interface.