Project

General

Profile

Actions

Bug #11734

closed

NAT rule overlap detection is inconsistent

Added by Marcos Mendoza 7 months ago. Updated 1 day ago.

Status:
Resolved
Priority:
Normal
Category:
Rules / NAT
Target version:
Start date:
03/26/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.x
Affected Architecture:
All

Description

When saving an additional NAT port forward rule:

  1. The "protocol" field is effectively ignored in overlap checks
  2. The "source" field is not checked in overlap checks
  3. Rule is prevented from being saved when a destination mask is defined

Related issues

Related to Bug #12361: NAT rule overlap detection does not check special networksResolvedMarcos Mendoza

Actions
Has duplicate Bug #12132: Port Fowards Using CARP VIP Form Validation on Source BrokenDuplicate07/15/2021

Actions
Actions #2

Updated by Jim Pingle 7 months ago

  • Status changed from New to Rejected

Protocol doesn't overlap. You can have separate port forward rules for TCP and for UDP on the same port ranges which do not conflict.

Plus, that overlap check isn't for looking at network addresses, it's only making sure that port ranges do not overlap.

Actions #3

Updated by Marcos Mendoza 7 months ago

I've added some further details on it. At the least, there is a typo that should be fixed.

Actions #4

Updated by Jim Pingle 7 months ago

  • Status changed from Rejected to Pull Request Review
  • Target version set to CE-Next
Actions #5

Updated by Marcos Mendoza 5 months ago

Adding more details here; currently:

It's possible for rules with overlapping ports to be saved when the destination type is set to network because $natent['destination']['address'] can have a value of 10.0.0.0/24 while post['dst'] has a value of 10.0.0.0 (the mask is on a separate variable post['dstmask']).

There is a typo $natent['proto'], which means the != operator checks will always return true because null will never equal a defined variable. Hence, unless the protocol is set to TCP/UDP, the overlap check below this statement will never run.

Actions #6

Updated by Jim Pingle 5 months ago

  • Plus Target Version set to 21.09
Actions #7

Updated by Renato Botelho 4 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #8

Updated by Marcos Mendoza 4 months ago

  • % Done changed from 0 to 100
Actions #9

Updated by Marcos Mendoza 3 months ago

There's still an issue when the selected source or destination is a special network (e.g. L2TP Clients), as well as a missing / in the checks. I have a fix ready to submit.

Actions #10

Updated by Kris Phillips 3 months ago

Potentially related issue with source traffic with video demonstrating the issue: https://redmine.pfsense.org/issues/12132

Actions #11

Updated by Kris Phillips 3 months ago

Tested the changeset and the issue for 12132 and this redmine appears to be resolved.

Actions #13

Updated by Jim Pingle 3 months ago

  • Status changed from Feedback to Pull Request Review
Actions #14

Updated by Jim Pingle 3 months ago

  • Has duplicate Bug #12132: Port Fowards Using CARP VIP Form Validation on Source Broken added
Actions #15

Updated by Jim Pingle about 2 months ago

  • Target version changed from CE-Next to 2.6.0
Actions #16

Updated by Jim Pingle about 2 months ago

  • Related to Bug #12361: NAT rule overlap detection does not check special networks added
Actions #17

Updated by Jim Pingle about 2 months ago

  • Status changed from Pull Request Review to Resolved

Marking resolved since the original part was already tested. I moved the special networks issue over to #12361 as it needs to wait until after 21.09.

Actions #18

Updated by Jim Pingle 1 day ago

  • Plus Target Version changed from 21.09 to 22.01
Actions

Also available in: Atom PDF