core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

Firewall group list does not display group membership and does not permit editing of existing groups

Open michaelroland opened this issue 1 year ago • 4 comments

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

The firewall groups menu does not display group memberships of interfaces. The corresponding call to /api/firewall/group/searchItem returns an empty list for the members attribute, eventhough group rules are applied to the interfaces that where selected and listed as group members in the old group selection UI (preceeding version).

Also, when trying to edit an entry in the list of interface groups, the call to /api/firewall/group/getItem/<uuid> return an emty JSON array ([]) for any of the existing groups. Consequently, the edit dialog does not display any editable information about the interface group (not even its name).

Truncated output from POST /api/firewall/group/searchItem endpoint:

{"rows":[{"uuid":"ab56e48f-4f30-451f-b8fc-e8a278b7852a","ifname":"FIM_Infra_GRP","descr":"","members":"","sequence":"0"},{"uuid":"a0a9f5a1-4bf5-4864-819c-54b78ed7d143","ifname":"INS_Guests_GRP","descr":"","members":"","sequence":"0"},
...

Output from GET /api/firewall/group/getItem/ab56e48f-4f30-451f-b8fc-e8a278b7852a endpoint:

[]

Groups and memberships existed before upgrading to a 23.7.* version and I did not try to add any new groups yet.

To Reproduce

Edit any existing group. The edit screen will not display any information about the edited group.

Expected behavior

Group membership should be displayed and when editing an existing group, the group information should actually be displayed and editable in the edit dialog.

Environment

OPNsense 23.7.12 (amd64)

michaelroland avatar Jan 18 '24 16:01 michaelroland

After further debugging, it seems that this is actually two distinct problems:

  1. Editing interface details does not work since the UUIDs required for the MVC version of the firewall/groups UI are not present in the (migrated?) configuration. This is the relevant part of the configuration backup when the problem was observed:

      <ifgroups>
    <ifgroupentry>
      <members>opt6 opt2 enc0 opt11 opt21 opt1</members>
      <descr/>
      <ifname>FIM_Infra_GRP</ifname>
      <nogroup>1</nogroup>
    </ifgroupentry>
    <ifgroupentry>
      <members>opt2 enc0 opt11 opt21 opt1</members>
      <descr/>
      <ifname>INS_Guests_GRP</ifname>
      <nogroup>1</nogroup>
    </ifgroupentry>

    This is solved by clicking the apply button at the bottom of the firewall/groups page. After that, the configuration backup contains (see the added uuid attribute on ifgroupentry):

      <ifgroups>
    <ifgroupentry uuid="3b03b7d1-89f1-4c29-8d9e-082d5862a247">
      <ifname>FIM_Infra_GRP</ifname>
      <members>opt6 opt2 enc0 opt11 opt21 opt1</members>
      <nogroup>1</nogroup>
      <sequence>0</sequence>
      <descr/>
    </ifgroupentry>
    <ifgroupentry uuid="21661cbf-f95f-45ea-b870-c9fe00c699aa">
      <ifname>INS_Guests_GRP</ifname>
      <members>opt2 enc0 opt11 opt21 opt1</members>
      <nogroup>1</nogroup>
      <sequence>0</sequence>
      <descr/>
    </ifgroupentry>

    Not sure if this is intended behavior or if there is something missing in the configuration migration procedure during upgrade.

  2. The other issue is assignment of interfaces to an interface list. Looking at the members field above, the value is a space-separated list. However, the InterfaceField model (BaseListField) seems to expect a comma-separated list. This can also be seen, when a new group is added:

        <ifgroupentry uuid="f2ded210-bd3c-45c0-b0c1-895adac62722">
      <ifname>TEST_GRP</ifname>
      <members>opt2,opt4,opt3</members>
      <nogroup>1</nogroup>
      <sequence>0</sequence>
      <descr/>
    </ifgroupentry>

    Again, it seems that there is some configuration migration missing for the MVC version of the firewall groups.

michaelroland avatar Jan 18 '24 22:01 michaelroland

Most likely cause is a failed migration after upgrade, the UUID’s will be added after apply, content won’t be changed. Best update the groups manually (or revert, run the upgrade script manually an try to fix the inconsistencies)

AdSchellevis avatar Jan 19 '24 08:01 AdSchellevis

Thanks, manual upgrade of the entries was what I did after finding out why entries did not properly display. I could not locate the source where config migration happens though, so I was unable to evaluate if that was a specific issue for the versions that I hopped between or if there's an issue with that part of the config migration in general. Do you have any hints where the config migration takes place?

michaelroland avatar Jan 19 '24 09:01 michaelroland

Sure, it’s this script https://github.com/opnsense/core/blob/master/src/opnsense/mvc/script/run_migrations.php

AdSchellevis avatar Jan 19 '24 10:01 AdSchellevis

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Jul 16 '24 14:07 OPNsense-bot