From aa6a813617a5161f0496a4470cfa3b58837debe0 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 5 Feb 2026 11:36:20 +0100
Subject: [PATCH] Firewall: Rules [new]: Fix group rename in source_net,
 destination_net and SNAT/DNAT target fields (#9734)

* Firewall: Rules [new]: Fix group rename in source_net, destination_net and SNAT/DNAT target fields

* review comments @fichtner
---
 .../app/models/OPNsense/Firewall/Group.php    | 23 ++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Group.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Group.php
index 37f251b35f..8659b0aef0 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Group.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Group.php
@@ -45,7 +45,7 @@ class Group extends BaseModel
             ['nat', 'onetoone'],
             ['nat', 'outbound', 'rule'],
         ];
-        // os-firewall plugin paths
+        // mvc rules
         $sources[] = ['OPNsense', 'Firewall', 'Filter', 'rules', 'rule'];
         $sources[] = ['OPNsense', 'Firewall', 'Filter', 'snatrules', 'rule'];
         $sources[] = ['OPNsense', 'Firewall', 'Filter', 'npt', 'rule'];
@@ -80,17 +80,34 @@ class Group extends BaseModel
         $has_changed = false;
         foreach ($this->ruleIterator() as $node) {
             $interfaces = explode(",", (string)$node->interface);
+            // interface works the same for legacy and mvc rules
             if (in_array($oldname, $interfaces)) {
-                  unset($interfaces[array_search((string)$oldname, $interfaces)]);
-                  $interfaces[] = $newname;
+                  $interfaces[array_search((string)$oldname, $interfaces)] = $newname;
                   $node->interface = implode(",", $interfaces);
                   $has_changed = true;
             }
             foreach (['source', 'destination'] as $net) {
+                // legacy rules
                 if (!empty($node->$net) && !empty($node->$net->network) && (string)$node->$net->network == $oldname) {
                     $node->$net->network = $newname;
                     $has_changed = true;
                 }
+                // mvc rules (source_net...)
+                $field = $net . '_net';
+                $value = (string)$node->$field;
+                if (!empty($value)) {
+                    $nets = explode(',', $value);
+                    if (in_array($oldname, $nets)) {
+                        $nets[array_search($oldname, $nets)] = $newname;
+                        $node->$field = implode(',', $nets);
+                        $has_changed = true;
+                    }
+                }
+            }
+            // SNAT/DNAT target
+            if (!empty($node->target) && (string)$node->target === $oldname) {
+                $node->target = $newname;
+                $has_changed = true;
             }
         }
         return $has_changed;