core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

wrong matching shown in firewall state table

Open ivulit opened this issue 1 year ago • 4 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [ x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [ x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Wrong rules match in the state table. After changes applying in firewall rules, state tables show incorrect matching. For example, the rule contains only an IPv6 address, but ipv4 packets appear in the state table. See the screenshots below. I faced this issue several months ago on version 27.1. After upgrade to 24.7_9 nothing changed Manual reset state table in UI solves issue until next rules changing

To Reproduce

Steps to reproduce the behavior:

  1. Apply changing at firewall rules
  2. Click on Firewall - diagnostics - states
  3. Check the different rules by choosing at right corner
  4. See wrong matches

Expected behavior

State tables shows correct matching

Screenshots

rule states_table

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7_9 (amd64) as VM in Proxmox 8.2 Virtio interfaces

ivulit avatar Aug 05 '24 13:08 ivulit

State tables shows correct matching

What does "correct" mean here?

Step 0 is obviously adding a new rule or else the apply would not be needed and the states would be ok?

Cheers, Franco

fichtner avatar Aug 05 '24 14:08 fichtner

What does "correct" mean here?

Correct it means, for example ipv6-only rule not match ipv4 packets :-)

Step 0 is obviously adding a new rule or else the apply would not be needed and the states would be ok?

it can be anything: add new rule, rename existing rule and even just instance reboot. After boot. without any other actions that issue appears

ivulit avatar Aug 05 '24 14:08 ivulit

I think the basic issue is the diagnostics tool will offer states per rulenum, which shifts as soon as the rules reload with a different ruleset. I'm unsure how to change that.

fichtner avatar Aug 05 '24 14:08 fichtner

I can confirm the statement above. When I first starting using OpnSense, I thought there was a problem when I went to 'Firewall - diagnostics - states' after making any type of change to firewall rules, including NAT:Port Forward. The states did not make any sense (need to look at all of them). But I learned resetting the state table worked, as stated in the documentation: "When changing rules, sometimes its necessary to reset states...". Now, when I make any type of change, the first step is to reset. I believe this means every device on the network needs to re-establish its state, but in my case, it works. I have not tested the concept of not re-setting and then looking at the state table after some period of time such as 1 hr., 1 day, etc. I also never tested if traffic did actually happen on the state that appeared incorrect. However, at first, it was disconcerting to see states that did not make sense after a change. In other words, was traffic allowed that should be denied. Is there a way to capture 'rulenum' before and then after a "change" in order to understand what is changing?

vimage22b avatar Aug 06 '24 23:08 vimage22b

I almost had a stroke seeing established connections allowed by totally unrelated rules, starting to think I couldn't trust my rules... A bit relief if it's just the states page which shows wrong data. Reseting states is not really an option (100 ~ 150k active connections with a lot of component which wouldn't be happy if it's dropped). If the rule associated with a state can't be reliably identified, it shouldn't be displayed at all

dani avatar Nov 27 '24 21:11 dani

I agree, to a certain extent. But I have some thoughts. The behavior of rulenum and ruleset is probably the key to understanding, but not sure where to go to look at this. Next, I have never had the patience to look at what happens if you let a period of time elapse such as one hour, 24 hrs., etc. Do the states end up reflecting the current states at some point? Finally, can a dump of pftop be matched to the output seen on the states page, one to one, after a fresh reset? i am assuming pftop would always be accurate. It could then be used as a tool to compare the states page to pftop states. I would be willing to try this, if there is interest in pursuing.

vimage22b avatar Dec 01 '24 14:12 vimage22b

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Feb 01 '25 13:02 OPNsense-bot