Bug #11734
closed
NAT rule overlap detection is inconsistent
100%
Description
When saving an additional NAT port forward rule:
- The "protocol" field is effectively ignored in overlap checks
- The "source" field is not checked in overlap checks
- Rule is prevented from being saved when a destination mask is defined
Related issues
Updated by Marcos M over 3 years ago
- Assignee set to Marcos M
Updated by Jim Pingle over 3 years ago
- Status changed from New to Rejected
Protocol doesn't overlap. You can have separate port forward rules for TCP and for UDP on the same port ranges which do not conflict.
Plus, that overlap check isn't for looking at network addresses, it's only making sure that port ranges do not overlap.
Updated by Marcos M over 3 years ago
I've added some further details on it. At the least, there is a typo that should be fixed.
Updated by Jim Pingle over 3 years ago
- Status changed from Rejected to Pull Request Review
- Target version set to CE-Next
Updated by Marcos M over 3 years ago
Adding more details here; currently:
It's possible for rules with overlapping ports to be saved when the destination type is set to network because $natent['destination']['address'] can have a value of 10.0.0.0/24 while post['dst'] has a value of 10.0.0.0 (the mask is on a separate variable post['dstmask']).
There is a typo $natent['proto'], which means the != operator checks will always return true because null will never equal a defined variable. Hence, unless the protocol is set to TCP/UDP, the overlap check below this statement will never run.
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Marcos M over 3 years ago
- % Done changed from 0 to 100
Applied in changeset 3736da7f0ffd73c0cd25b7118b3c4be2e1f0eab9.
Updated by Marcos M over 3 years ago
There's still an issue when the selected source or destination is a special network (e.g. L2TP Clients), as well as a missing / in the checks. I have a fix ready to submit.
Updated by Kris Phillips over 3 years ago
Potentially related issue with source traffic with video demonstrating the issue: https://redmine.pfsense.org/issues/12132
Updated by Kris Phillips over 3 years ago
Tested the changeset and the issue for 12132 and this redmine appears to be resolved.
Updated by Marcos M over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Pull Request Review
Updated by Jim Pingle over 3 years ago
- Has duplicate Bug #12132: Port Fowards Using CARP VIP Form Validation on Source Broken added
Updated by Jim Pingle about 3 years ago
- Target version changed from CE-Next to 2.6.0
Updated by Jim Pingle about 3 years ago
- Related to Bug #12361: NAT rule overlap detection does not check special networks added
Updated by Jim Pingle about 3 years ago
- Status changed from Pull Request Review to Resolved
Marking resolved since the original part was already tested. I moved the special networks issue over to #12361 as it needs to wait until after 21.09.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01