Actions
Bug #11569
closedACLs generated from RADIUS reply attributes have incorrect syntax
Start date:
02/27/2021
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
Description
FreeRADIUS ACLs:
Cisco-AVPair = "ip:inacl#1=permit tcp 192.168.1.2 0.0.0.0 any", Cisco-AVPair += "ip:inacl#2=permit tcp 192.168.1.1 0.0.0.0 10.10.128.151 0.0.0.0 eq 80",
Created OpenVPN rules:
pass in quick on ovpns1 inet proto tcp from 192.168.1.2/32to any pass in quick on ovpns1 inet proto tcp from 192.168.1.1/32to 10.10.128.151/32port = 80
Expected OpenVPN rules:
pass in quick on ovpns1 inet proto tcp from 192.168.1.2/32 to any pass in quick on ovpns1 inet proto tcp from 192.168.1.1/32 to 10.10.128.151/32 port = 80
Updated by Dmitry Bashkarev almost 4 years ago
Ready for review: https://github.com/pfsense/pfsense/pull/4504
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Pull Request Review
- Target version changed from 2.5.1 to CE-Next
I thought this got fixed with #10803 but apparently not.
Updated by Renato Botelho almost 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
PR has been merged. Thanks!
Updated by Jim Pingle almost 4 years ago
- Status changed from Feedback to Waiting on Merge
- Target version changed from CE-Next to 2.5.1
Updated by Renato Botelho almost 4 years ago
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
Updated by Jim Pingle almost 4 years ago
- Subject changed from Parsing cisco acl to ACLs generated from RADIUS reply attributes have incorrect syntax
Updating subject for release notes.
Updated by Viktor Gurov almost 4 years ago
- Status changed from Feedback to Resolved
works as expected on 2.5.1.r.20210324.0300
RADIUS attributes:
Cisco-AVPair = "ip:inacl#1=permit ip host 10.3.0.99 10.1.10.0 0.0.0.255", Cisco-AVPair += "ip:inacl#2=permit ip host 10.3.0.99 host 10.10.0.55", Cisco-AVPair += "ip:inacl#3=permit ip host 10.3.0.99 172.20.0.0 0.0.255.255", Cisco-AVPair += "ip:inacl#4=permit ip host 10.3.0.99 host 10.10.4.5"
result:
# pfctl -a openvpn/ovpns1_testuser_29199 -sr pass in quick on ovpns1 inet from 10.3.0.99 to 10.1.10.0/24 flags S/SA keep state pass in quick on ovpns1 inet from 10.3.0.99 to 10.10.0.55 flags S/SA keep state pass in quick on ovpns1 inet from 10.3.0.99 to 172.20.0.0/16 flags S/SA keep state pass in quick on ovpns1 inet from 10.3.0.99 to 10.10.4.5 flags S/SA keep state
Actions