Inadequate input validation on limiters with floating rules
With floating rules, it's possible to create an invalid ruleset by specifying a limiter on a rule without a direction. pf just skips the affected rule(s), showing "dummynet cannot be specified without a direction". Need input validation to ensure direction is specified on any rule using limiters.
Resolves #1043. Do not allow limiters in floating rules without direction. It is invalid practice and while the backend skips it the user should be warned.
#4 Updated by Josh Stompro over 8 years ago
Tested on 2.0-beta4 (i386) Dec 10 02:17:09:EST 2010
When I tried to add a limiter (In/Out, which is not a very descriptive label if you don't know what you are looking for) to a floating rule with direction set to any, I get the error "You can not use limiters in floating rules without choosing a direction"
So I think this is resolved.
#8 Updated by Alexander Kalashnikov over 8 years ago
Unfortunatelly it's not fixed.
if (isset($_POST['floating']) && $_POST['pdnpipe'] != "none" && (empty($_POST['direction']) || $_POST['direction'] "any"))
Replace OR to AND.
"If it is floating rule and it is not a 'none' limiter and a direction is "any"
Something like this:
if (isset($_POST['floating']) && $_POST['pdnpipe'] != "none" && (empty($_POST['direction']) && $_POST['direction'] "any"))
#12 Updated by Alexander Kalashnikov over 8 years ago
Sure I can read code and any text since I've read your response and writing an answer here.
I'm sorry for that I've misguided you when I've missed double braces in if-clause.
Anyway, if the code is correct, could you, please, provide me an instruction on how to create a Floating rule without queue\gateway and with direction set to 'any'?
#13 Updated by Alexander Kalashnikov over 8 years ago
It seems like the issue is still present but only for gateways check since the $_POST['gateway'] contains an empty string when default gateway is used.
I've checked it in firefox, ie(9) and opera.
So the code should be something like:
$_POST['gateway'] != "" && (empty($_POST['direction']) || $_POST['direction'] == "any"))