Project

General

Profile

Bug #11389

Mixed-case or Uppercase Alias names will not resolve when nested within another Alias

Added by Bill Meeks 2 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
FilterDNS
Target version:
Start date:
02/09/2021
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
All
Release Notes:
Default

Description

The inclusion of calls to the PHP function idn_to_utf8() and idn_to_ascii() in pfSense-2.5 appear to have inadvertently broken the nesting of Aliases when the alias name is of mixed case (combination of uppercase and lowercase letters), or when the alias name is all uppercase. This happens because the <address> element of an Alias entry is converted to lowercase by the PHP subsystem call. Thus the <address> element no longer matches up with the actual parent Alias name in the case of nesting. So when the system attempts to resolve the value of any nested aliases, it is unable to locate the actual alias in config.xml because of the lowercase conversion.

To reproduce on the most recent 2.5 snapshot, do the following:

1. Under FIREWALL > ALIASES, create a new alias with a mixed-case name such as "Linux_PCs" and enter one or two IP addresses as the alias value.

2. Repeat the step above creating a second new alias with a mixed-case name such as "Windows_PCs" and enter one or two IP addresses for the value.

3. Now create a third new alias whose "values" are the names of the mixed-case aliases created above. So for example, create an alias named "Workstations" and then type in "Linux_PCs" and "Windows_PCs" as the host values.

4. Hit APPLY now to apply all the updates.

5. Create a firewall rule using the new "Workstations" nested alias as either a source or destination target and apply to reload the filter.

6. Go to DIAGNOSTICS > TABLES and select the "Workstations" alias to view. Note that it will be blank. It should instead be showing the IP addresses associated with the nested aliases "Linux_PCs" and "Windows_PCs".

Note that if you delete the aliases created in the steps above and repeat the process of recreating them, but use all lowercase names for the nested aliases instead of mixed-case (e.g., "linux_pcs" and "windows_pcs", then the nesting will resolve correctly and when looking at the "Workstations" table in DIAGNOSTICS > TABLES, it will correctly show the IP addresses from the nested aliases.

Associated revisions

Revision 860391bf (diff)
Added by Jim Pingle 2 months ago

This file moved, remove old copy. Fixes #11389

Revision c33ebcbc (diff)
Added by Jim Pingle 2 months ago

This file moved, remove old copy. Fixes #11389

(cherry picked from commit 860391bfcb5d273daef32780003014cfdd557a6d)

History

#1 Updated by Bill Meeks 2 months ago

I failed to note that mixed-case alias names will correctly resolve when nested in pfSense-2.4.5, so this appears limited to 2.5.

#2 Updated by Viktor Gurov 2 months ago

  • Status changed from New to Feedback

unable to reproduce on 2.5.0.a.20210204.2250
fixed in #10968

#3 Updated by Bill Meeks 2 months ago

Viktor: this is the version I am testing on --

2.5.0-DEVELOPMENT (amd64)
built on Thu Feb 04 22:53:51 CST 2021
FreeBSD 12.2-STABLE

I can reliably create the issue as described. I will try pulling down a gitsync on my virtual machine to see if the issue resolves for me.

Bill

#4 Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to New

#5 Updated by Jim Pingle 2 months ago

If #10968 fixed it then something else broke it again. I can reproduce it easily here.

: grep -i nesttest /conf/config.xml
            <name>NestTest1</name>
            <name>NestTest2</name>
            <name>NestTestBoth</name>
            <address>nesttest1 nesttest2</address>

The names were changed to lowercase. I repeated the test twice with two sets of completely new aliases. Same result.

#6 Updated by Viktor Gurov 2 months ago

hm, my test configuration:

<alias>
                        <name>LinPC_HOSTS</name>
                        <type>host</type>
                        <address>2.2.2.2</address>
                        <descr></descr>
                        <detail><![CDATA[Entry added Tue, 09 Feb 2021 17:43:47 +0300]]></detail>
 </alias>
<alias>
                        <name>WinPC_HOSTs</name>
                        <type>host</type>
                        <address>1.1.1.1</address>
                        <descr></descr>
                        <detail><![CDATA[Entry added Tue, 09 Feb 2021 17:43:47 +0300]]></detail>
</alias>
<alias>
                        <name>mixedhosts</name>
                        <type>host</type>
                        <address>LinPC_HOSTS WinPC_HOSTs</address>
                        <descr></descr>
                        <detail><![CDATA[Entry added Tue, 09 Feb 2021 17:44:23 +0300||Entry added Tue, 09 Feb 2021 17:44:23 +0300]]></detail>
 </alias>

# grep mixedhosts /tmp/rules.debug
table <mixedhosts> {    2.2.2.2   1.1.1.1 } 
mixedhosts = "<mixedhosts>" 
pass  in  quick  on $WAN reply-to ( vtnet1 192.168.89.5 ) inet proto tcp  from $mixedhosts to any tracker 1611243200 flags S/SA keep state  label "USER_RULE" 

#7 Updated by Jim Pingle 2 months ago

Might be something in your running state, but it happens consistently every time for me here. I don't have any of the aliases in firewall rules (yet), I'm just creating them and trying to nest before they are in use. Might be something there.

#8 Updated by Bill Meeks 2 months ago

I am also wondering if it is some kind of "race" thing perhaps???

I see a check in the new code that tests each value submitted to idn_to_utf8() to see if it is an existing alias. If so, it is returned "as-is" and not run through the function. But it appears that test is failing sometimes, for some reason, and thus the <address> value for an edited or newly created alias is getting changed to lowercase via being passed to, and processed by, the PHP idn_to_utf8() or idn_to_ascii() functions.

#10 Updated by Bill Meeks 2 months ago

I am unable to pull down the changes from that private repo, so can't test. Will depend on Jim to test from his end.

Bill

#11 Updated by Jim Pingle 2 months ago

Still failed for me with that patch applied. Ends up with lowercase contents every time I try it.

#12 Updated by Jim Pingle 2 months ago

  • Status changed from New to Not a Bug

OK I figured out what caused this. It's not a problem in current code, but somewhere along the way snapshots had alias-utils.inc in /etc/inc/alias-utils.inc and then it moved to /etc/inc/web/alias-utils.inc -- the "old" copy was still there, and it was included first, which meant fixes in the new location were not respected.

If you rm /etc/inc/alias-utils.inc and then restart the GUI (16/11 from the console, or reboot) then try again it should work.

It wouldn't be a problem on fresh installs after it moved to the new location, or when upgrading from 2.4.x after the location was moved.

Normally we'd put in an obsoleted files entry but since it only affected some snapshots it may not be worth the effort.

#13 Updated by Jim Pingle 2 months ago

  • Status changed from Not a Bug to Feedback
  • Priority changed from High to Normal
  • Target version set to 2.5.0

Changed my mind, I added an entry to remove the old file. It's a simple change and may prevent others from having the same problem.

#14 Updated by Bill Meeks 2 months ago

Thanks! Good catch. I was pulling my hair out, because I could see what "should" be bypassing the problem but it wasn't working. My virtual machine indeed had the old copy of the file in /etc/inc.

#15 Updated by Jim Pingle 2 months ago

  • % Done changed from 0 to 100

#16 Updated by Bill Meeks 2 months ago

Confirmed working now with the old file deleted in my 2.5 VM. This issue can be marked resolved.

#17 Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF