wrong matching shown in firewall state table

[ivulit]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [ x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [ x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Wrong rules match in the state table. After changes applying in firewall rules, state tables show incorrect matching. For example, the rule contains only an IPv6 address, but ipv4 packets appear in the state table. See the screenshots below. I faced this issue several months ago on version 27.1. After upgrade to 24.7_9 nothing changed Manual reset state table in UI solves issue until next rules changing

To Reproduce

Steps to reproduce the behavior:

1. Apply changing at firewall rules
2. Click on Firewall - diagnostics - states
3. Check the different rules by choosing at right corner
4. See wrong matches

Expected behavior

State tables shows correct matching

Screenshots

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7_9 (amd64) as VM in Proxmox 8.2 Virtio interfaces

[fichtner]

State tables shows correct matching

What does "correct" mean here?

Step 0 is obviously adding a new rule or else the apply would not be needed and the states would be ok?

Cheers, Franco

[ivulit]

What does "correct" mean here?

Correct it means, for example ipv6-only rule not match ipv4 packets :-)

Step 0 is obviously adding a new rule or else the apply would not be needed and the states would be ok?

it can be anything: add new rule, rename existing rule and even just instance reboot. After boot. without any other actions that issue appears

[fichtner]

I think the basic issue is the diagnostics tool will offer states per rulenum, which shifts as soon as the rules reload with a different ruleset. I'm unsure how to change that.

[vimage22b]

I can confirm the statement above. When I first starting using OpnSense, I thought there was a problem when I went to 'Firewall - diagnostics - states' after making any type of change to firewall rules, including NAT:Port Forward. The states did not make any sense (need to look at all of them). But I learned resetting the state table worked, as stated in the documentation: "When changing rules, sometimes its necessary to reset states...". Now, when I make any type of change, the first step is to reset. I believe this means every device on the network needs to re-establish its state, but in my case, it works. I have not tested the concept of not re-setting and then looking at the state table after some period of time such as 1 hr., 1 day, etc. I also never tested if traffic did actually happen on the state that appeared incorrect. However, at first, it was disconcerting to see states that did not make sense after a change. In other words, was traffic allowed that should be denied. Is there a way to capture 'rulenum' before and then after a "change" in order to understand what is changing?