Bug #11389
closed
Mixed-case or Uppercase Alias names will not resolve when nested within another Alias
100%
Description
The inclusion of calls to the PHP function idn_to_utf8() and idn_to_ascii() in pfSense-2.5 appear to have inadvertently broken the nesting of Aliases when the alias name is of mixed case (combination of uppercase and lowercase letters), or when the alias name is all uppercase. This happens because the <address> element of an Alias entry is converted to lowercase by the PHP subsystem call. Thus the <address> element no longer matches up with the actual parent Alias name in the case of nesting. So when the system attempts to resolve the value of any nested aliases, it is unable to locate the actual alias in config.xml because of the lowercase conversion.
To reproduce on the most recent 2.5 snapshot, do the following:
1. Under FIREWALL > ALIASES, create a new alias with a mixed-case name such as "Linux_PCs" and enter one or two IP addresses as the alias value.
2. Repeat the step above creating a second new alias with a mixed-case name such as "Windows_PCs" and enter one or two IP addresses for the value.
3. Now create a third new alias whose "values" are the names of the mixed-case aliases created above. So for example, create an alias named "Workstations" and then type in "Linux_PCs" and "Windows_PCs" as the host values.
4. Hit APPLY now to apply all the updates.
5. Create a firewall rule using the new "Workstations" nested alias as either a source or destination target and apply to reload the filter.
6. Go to DIAGNOSTICS > TABLES and select the "Workstations" alias to view. Note that it will be blank. It should instead be showing the IP addresses associated with the nested aliases "Linux_PCs" and "Windows_PCs".
Note that if you delete the aliases created in the steps above and repeat the process of recreating them, but use all lowercase names for the nested aliases instead of mixed-case (e.g., "linux_pcs" and "windows_pcs", then the nesting will resolve correctly and when looking at the "Workstations" table in DIAGNOSTICS > TABLES, it will correctly show the IP addresses from the nested aliases.
Updated by Bill Meeks about 3 years ago
I failed to note that mixed-case alias names will correctly resolve when nested in pfSense-2.4.5, so this appears limited to 2.5.
Updated by Viktor Gurov about 3 years ago
- Status changed from New to Feedback
unable to reproduce on 2.5.0.a.20210204.2250
fixed in #10968
Updated by Bill Meeks about 3 years ago
Viktor: this is the version I am testing on --
2.5.0-DEVELOPMENT (amd64)
built on Thu Feb 04 22:53:51 CST 2021
FreeBSD 12.2-STABLE
I can reliably create the issue as described. I will try pulling down a gitsync on my virtual machine to see if the issue resolves for me.
Bill
Updated by Jim Pingle about 3 years ago
If #10968 fixed it then something else broke it again. I can reproduce it easily here.
: grep -i nesttest /conf/config.xml
<name>NestTest1</name>
<name>NestTest2</name>
<name>NestTestBoth</name>
<address>nesttest1 nesttest2</address>
The names were changed to lowercase. I repeated the test twice with two sets of completely new aliases. Same result.
Updated by Viktor Gurov about 3 years ago
hm, my test configuration:
<alias>
<name>LinPC_HOSTS</name>
<type>host</type>
<address>2.2.2.2</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 09 Feb 2021 17:43:47 +0300]]></detail>
</alias>
<alias>
<name>WinPC_HOSTs</name>
<type>host</type>
<address>1.1.1.1</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 09 Feb 2021 17:43:47 +0300]]></detail>
</alias>
<alias>
<name>mixedhosts</name>
<type>host</type>
<address>LinPC_HOSTS WinPC_HOSTs</address>
<descr></descr>
<detail><![CDATA[Entry added Tue, 09 Feb 2021 17:44:23 +0300||Entry added Tue, 09 Feb 2021 17:44:23 +0300]]></detail>
</alias>
# grep mixedhosts /tmp/rules.debug
table <mixedhosts> { 2.2.2.2 1.1.1.1 }
mixedhosts = "<mixedhosts>"
pass in quick on $WAN reply-to ( vtnet1 192.168.89.5 ) inet proto tcp from $mixedhosts to any tracker 1611243200 flags S/SA keep state label "USER_RULE"
Updated by Jim Pingle about 3 years ago
Might be something in your running state, but it happens consistently every time for me here. I don't have any of the aliases in firewall rules (yet), I'm just creating them and trying to nest before they are in use. Might be something there.
Updated by Bill Meeks about 3 years ago
I am also wondering if it is some kind of "race" thing perhaps???
I see a check in the new code that tests each value submitted to idn_to_utf8() to see if it is an existing alias. If so, it is returned "as-is" and not run through the function. But it appears that test is failing sometimes, for some reason, and thus the <address> value for an edited or newly created alias is getting changed to lowercase via being passed to, and processed by, the PHP idn_to_utf8() or idn_to_ascii() functions.
Updated by Viktor Gurov about 3 years ago
Updated by Bill Meeks about 3 years ago
I am unable to pull down the changes from that private repo, so can't test. Will depend on Jim to test from his end.
Bill
Updated by Jim Pingle about 3 years ago
Still failed for me with that patch applied. Ends up with lowercase contents every time I try it.
Updated by Jim Pingle about 3 years ago
- Status changed from New to Not a Bug
OK I figured out what caused this. It's not a problem in current code, but somewhere along the way snapshots had alias-utils.inc in /etc/inc/alias-utils.inc and then it moved to /etc/inc/web/alias-utils.inc -- the "old" copy was still there, and it was included first, which meant fixes in the new location were not respected.
If you rm /etc/inc/alias-utils.inc and then restart the GUI (16/11 from the console, or reboot) then try again it should work.
It wouldn't be a problem on fresh installs after it moved to the new location, or when upgrading from 2.4.x after the location was moved.
Normally we'd put in an obsoleted files entry but since it only affected some snapshots it may not be worth the effort.
Updated by Jim Pingle about 3 years ago
- Status changed from Not a Bug to Feedback
- Priority changed from High to Normal
- Target version set to 2.5.0
Changed my mind, I added an entry to remove the old file. It's a simple change and may prevent others from having the same problem.
Updated by Bill Meeks about 3 years ago
Thanks! Good catch. I was pulling my hair out, because I could see what "should" be bypassing the problem but it wasn't working. My virtual machine indeed had the old copy of the file in /etc/inc.
Updated by Jim Pingle about 3 years ago
- % Done changed from 0 to 100
Applied in changeset 860391bfcb5d273daef32780003014cfdd557a6d.
Updated by Bill Meeks about 3 years ago
Confirmed working now with the old file deleted in my 2.5 VM. This issue can be marked resolved.
Updated by Jim Pingle about 3 years ago
- Status changed from Feedback to Resolved