Project

General

Profile

Actions

Bug #11734

closed

NAT rule overlap detection is inconsistent

Added by Marcos M about 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
03/26/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.x
Affected Architecture:
All

Description

When saving an additional NAT port forward rule:

  1. The "protocol" field is effectively ignored in overlap checks
  2. The "source" field is not checked in overlap checks
  3. Rule is prevented from being saved when a destination mask is defined

Related issues

Related to Bug #12361: NAT rule overlap detection does not check special networksResolvedMarcos M

Actions
Has duplicate Bug #12132: Port Fowards Using CARP VIP Form Validation on Source BrokenDuplicate07/15/2021

Actions
Actions #2

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to Rejected

Protocol doesn't overlap. You can have separate port forward rules for TCP and for UDP on the same port ranges which do not conflict.

Plus, that overlap check isn't for looking at network addresses, it's only making sure that port ranges do not overlap.

Actions #3

Updated by Marcos M almost 3 years ago

I've added some further details on it. At the least, there is a typo that should be fixed.

Actions #4

Updated by Jim Pingle almost 3 years ago

  • Status changed from Rejected to Pull Request Review
  • Target version set to CE-Next
Actions #5

Updated by Marcos M almost 3 years ago

Adding more details here; currently:

It's possible for rules with overlapping ports to be saved when the destination type is set to network because $natent['destination']['address'] can have a value of 10.0.0.0/24 while post['dst'] has a value of 10.0.0.0 (the mask is on a separate variable post['dstmask']).

There is a typo $natent['proto'], which means the != operator checks will always return true because null will never equal a defined variable. Hence, unless the protocol is set to TCP/UDP, the overlap check below this statement will never run.

Actions #6

Updated by Jim Pingle almost 3 years ago

  • Plus Target Version set to 21.09
Actions #7

Updated by Renato Botelho over 2 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #8

Updated by Marcos M over 2 years ago

  • % Done changed from 0 to 100
Actions #9

Updated by Marcos M over 2 years ago

There's still an issue when the selected source or destination is a special network (e.g. L2TP Clients), as well as a missing / in the checks. I have a fix ready to submit.

Actions #10

Updated by Kris Phillips over 2 years ago

Potentially related issue with source traffic with video demonstrating the issue: https://redmine.pfsense.org/issues/12132

Actions #11

Updated by Kris Phillips over 2 years ago

Tested the changeset and the issue for 12132 and this redmine appears to be resolved.

Actions #13

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Pull Request Review
Actions #14

Updated by Jim Pingle over 2 years ago

  • Has duplicate Bug #12132: Port Fowards Using CARP VIP Form Validation on Source Broken added
Actions #15

Updated by Jim Pingle over 2 years ago

  • Target version changed from CE-Next to 2.6.0
Actions #16

Updated by Jim Pingle over 2 years ago

  • Related to Bug #12361: NAT rule overlap detection does not check special networks added
Actions #17

Updated by Jim Pingle over 2 years ago

  • Status changed from Pull Request Review to Resolved

Marking resolved since the original part was already tested. I moved the special networks issue over to #12361 as it needs to wait until after 21.09.

Actions #18

Updated by Jim Pingle over 2 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions

Also available in: Atom PDF