Skip to content

Firewall: Rules [new]: Fix handling of interfacenot, evaluate as floating rules in correct prio_group #9426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Firewall: Rules [new]: Fix handling of interfacenot, evaluate as floating rules in correct prio_group #9426

wants to merge 7 commits into from
+21 −4

Conversation

@Monviech
Copy link
Member

@Monviech Monviech commented Nov 19, 2025

Fixes: #9425

A bit unsure if I got all spots, but this seems to work.

@AdSchellevis please correct this one as needed.

@Monviech Monviech self-assigned this Nov 19, 2025
@Monviech Monviech added the cleanup Low impact changes label Nov 19, 2025
fichtner
fichtner approved these changes Nov 19, 2025
View reviewed changes
Copy link
Member

@fichtner fichtner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks-like-it-does-the-thing type of approval

@Monviech Monviech force-pushed the firewall-interfacenot-floating branch from 66de53d to df0c802 Compare November 21, 2025 08:03
@Monviech
Copy link
Member Author

Monviech commented Nov 21, 2025
edited
Loading

I fixed something small and now it reflects reality in my test:

Empty Interface, Inverted Group, Inverted Interface, Multiple Interface -> All in floating
Single group -> Is in group
Single interface -> Is in interface

image

@fichtner Should I wait on this one or is it okay for master?

AdSchellevis
AdSchellevis requested changes Nov 25, 2025
View reviewed changes
src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
// floating: empty, multiple, or inverted interface
(string)$this->interfacenot === "1" ||
(strpos($interface, ",")) !== false ||
empty($interface)
Copy link
Member

@AdSchellevis AdSchellevis Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't seem to match our actual sorting

core/src/etc/inc/filter.lib.inc

Lines 675 to 681 in c6eaefc

if (isset($rule['floating'])) {
$prio = 200000;
} elseif (isset($ifgroups[$rule['interface']])) {
$prio = 300000 + $ifgroups[$rule['interface']];
} else {
$prio = 400000;
}

Copy link
Member

@fichtner fichtner Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

be0b18930f36f9 says it's a floating rule pinned to one interface so this seems correct?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fichtner fichtner fichtner approved these changes

@AdSchellevis AdSchellevis AdSchellevis requested changes

Assignees

@Monviech Monviech

Labels

cleanup Low impact changes

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

firewall: Rules with inverted interfaces in Firewall: Automation: Filter display in the wrong group

4 participants

@Monviech @fichtner @AdSchellevis