Project

General

Profile

Bug #1882

Invalid pf rule generated from a port forward with dest=any on an interface with ip=none

Added by Jim Pingle almost 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
-
Start date:
09/16/2011
Due date:
% Done:

100%

Affected version:
2.0
Affected Architecture:

Description

If you have an interface with an IP type of "none", and then create a port forward on that interface with a destination of "any", it leads to an invalid ruleset.

Config snip of the offending port forward:

                <rule>
                        <source>
                                <any/>
                        </source>
                        <destination>
                                <any/>
                                <port>80</port>
                        </destination>
                        <protocol>tcp</protocol>
                        <target>192.168.1.55</target>
                        <local-port>80</local-port>
                        <interface>opt1</interface>
                        <descr/>
                        <associated-rule-id>nat_4e738285d7c807.89552620</associated-rule-id>
                        <value>default</value>
                </rule>

Leads to these rules:

rdr on vr2 proto tcp from any to any port 80 -> 192.168.1.55
no nat on vr2 proto tcp from (vr2) to /
nat on vr2 proto tcp from / to 192.168.1.55 port 80 -> (vr2)

Associated revisions

Revision fb943fce
Added by jim-p over 7 years ago

Add an option to the NUT package that will let the user choose to power down (shutdown -p) instead of halt. Should fix Ticket #1882
Shutdown -p will only work on supported systems. Since the behavior on unsupported systems is unknown, giving the user a choice seemed like the better way.

Revision fa984be9
Added by Erik Fonnesbeck over 4 years ago

Only add these lines if there is both an IP address and CIDR. Fixes #1882

Revision f314bad6
Added by Erik Fonnesbeck over 4 years ago

Only add these lines if there is both an IP address and CIDR. Fixes #1882

History

#1 Updated by Erik Fonnesbeck over 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Chris Buechler over 4 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF