POS option ignored when creating firewall rules via API

P

Phips

New Member
Nov 15, 2024
7
0
1
When creating a fw rule via pvesh like for example

Code: 
pvesh create /cluster/firewall/groups/dropOutRFC1918 --pos 1 --enable 1 --type "out" --action "DROP" --log "debug"

the pos option is ignored. The last created rule will always become pos 0 and all others will be increased in the position by 1.

The API documentation says "Update rule at position <pos>."
Is it possible that this option is no longer valid for the group and only accepted when you modify a position?

Thanks and br
Philipp
 
Hi @Phips

thank you for posting in the forum!

I've reproduced the issue on my end and tracked down the culprit.
In the firewall API endpoint the position parameter is accepted but not further considered.
See line 308 here [1]. excerpt:
Perl: 
306   $rule->{enable} = 0 if !defined($param->{enable});
307
308   unshift @$rules, $rule;
309
310   $class->save_rules($param, $fw_conf, $rules);

The unshift just adds the rule at the beginning of the list, so this is currently expected behavior.

Feel free to open a bug report at https://bugzilla.proxmox.com/

As a workaround you can use the moveto endpoint as documented here [2]

Yours sincerely
Jonas

[1] https://git.proxmox.com/?p=pve-fire...ad05df57f43f2865fd339b9777957c092f3c4;hb=HEAD
[2] https://pve.proxmox.com/pve-docs/api-viewer/#/nodes/{node}/firewall/rules/{pos}
 
You must log in or register to reply here.
Top Bottom
Back