Open ivulit opened 1 month ago
State tables shows correct matching
What does "correct" mean here?
Step 0 is obviously adding a new rule or else the apply would not be needed and the states would be ok?
Cheers, Franco
What does "correct" mean here?
Correct it means, for example ipv6-only rule not match ipv4 packets :-)
Step 0 is obviously adding a new rule or else the apply would not be needed and the states would be ok?
it can be anything: add new rule, rename existing rule and even just instance reboot. After boot. without any other actions that issue appears
I think the basic issue is the diagnostics tool will offer states per rulenum, which shifts as soon as the rules reload with a different ruleset. I'm unsure how to change that.
I can confirm the statement above. When I first starting using OpnSense, I thought there was a problem when I went to 'Firewall - diagnostics - states' after making any type of change to firewall rules, including NAT:Port Forward. The states did not make any sense (need to look at all of them). But I learned resetting the state table worked, as stated in the documentation: "When changing rules, sometimes its necessary to reset states...". Now, when I make any type of change, the first step is to reset. I believe this means every device on the network needs to re-establish its state, but in my case, it works. I have not tested the concept of not re-setting and then looking at the state table after some period of time such as 1 hr., 1 day, etc. I also never tested if traffic did actually happen on the state that appeared incorrect. However, at first, it was disconcerting to see states that did not make sense after a change. In other words, was traffic allowed that should be denied. Is there a way to capture 'rulenum' before and then after a "change" in order to understand what is changing?
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Wrong rules match in the state table. After changes applying in firewall rules, state tables show incorrect matching. For example, the rule contains only an IPv6 address, but ipv4 packets appear in the state table. See the screenshots below. I faced this issue several months ago on version 27.1. After upgrade to 24.7_9 nothing changed Manual reset state table in UI solves issue until next rules changing
To Reproduce
Steps to reproduce the behavior:
Expected behavior
State tables shows correct matching
Screenshots
Software version used and hardware type if relevant, e.g.:
OPNsense 24.7_9 (amd64) as VM in Proxmox 8.2 Virtio interfaces