How to verify rule and separator position in the Firewall Rules menu !?

louis2 · Mar 9, 2025, 7:23 PM

In the past I noticed that:

On the Firewall Interface screens, rules did not always stick on the same relative position.
The same was true for separator lines
and I think that rule numbers (in the GUI known as TrackingID) could sometimes change over time

I found that very annoying in the Gui, but it was also affecting the lookup table which I did create using login via ssh option 8
pfctl -vvsr > <YYYYMMDD_HHMM>_RuleDump.txt

Very recent there was a patch (Fix rule order after deleting or adding a firewall rule (Redmine #16076) )which should fix that behavoir. The patch is available under menu item system / patches.

As the title suggest, my intention is/was to check the rule and separator position stability in the Firewall Rules Menu's. My intention was to do that via the ruledump generated as described above.

In the rule dump you find three fields which feels related to ^rule processing order^

QueryNo
ridentifier (which is the same as he GUI known as TrackingID)
and a label called "id:1694963511" which is not always present and which equals the ridentifier

A firewall rule as shown in the GUI (having one ridentifier), is in most cases split into a set of subrules handling certain aspects of the rule.
Example one subrule for IPV4 and one for IV6. Often it is more complex than that.

The query (pfctl -vvsr > <YYYYMMDD_HHMM>_RuleDump.txt) creates a list of all those subrules. Each subrule has the same ridentifier. There is one QueryNo for each subrule.

Back to the GUI A small test shows that

a rule gets an number at creation time and seems to keep that number
also when moved on the same rule page
the number is higher than existing numbers. The number is not just ^+1^
The number is raised via an unknown algorithm

Given that the ridentifier is stable even when moved, ridentifier can not be the key which de terms the rule processing order.

So the big questions are:

which key does determine the rule processing order
related what de terms the rule and separator position on the rules screen
how to verify the rule processing order stability and the relative positions of the rules and the separators (as I tried to do, given negative experiences in the past)

stephenw10 · Mar 10, 2025, 12:51 AM

The rule order is given by the position/order in the config file.

There is a thread for this here: https://forum.netgate.com/topic/196601/rules-order-randomly-changes/

Including steps to reproduce it to test.

marcosm · Mar 10, 2025, 10:22 PM

The rule order in the configuration file is supposed to reflect both the rule processing and rule position (i.e. what's shown in the GUI) order. Ultimately, the processing itself is determined by what gets put into /tmp/rules.debug. As for the rule position in the GUI, there are multiple factors involved. With the latest fixes (referenced in the thread linked above), what does happen should finally match what is supposed to happen.