Project

General

Profile

Regression #11751

Input validation prevents 1:1 NAT rules on IPSec

Added by Steve Wheeler about 1 month ago. Updated 17 days ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
Start date:
03/29/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

Additional input validation in the GUI in 21.02/2.5 prevents creating a 1:1 NAT rule on the IPSec interface because it expects an IP family and enc doesnot have one:

The following input errors were detected:

    The interface do not have address from the specified address family.

Should also read "interface does not have address".

This is an edge case because NAT is not expected to work on IPSec. However there are situation where us can work and did in pfSense < 2.5.
Specifically if the P2 in use carries 0.0.0.0/0 it will carry the NAT'd traffic still.

This only applies to 1:1 NAT

Tested in:

21.02.2-RC (arm64)
built on Mon Mar 29 03:04:00 EDT 2021
FreeBSD 12.2-STABLE

211.diff (3.21 KB) 211.diff Viktor Gurov, 04/23/2021 12:12 AM

History

#1 Updated by Viktor Gurov about 1 month ago

  • Tracker changed from Bug to Regression

fix also includes OpenVPN and L2TP VPN input validation:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/211

#2 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review

#3 Updated by Steve Wheeler about 1 month ago

Tested here against 21.02 snapshot. Works as expected.

#4 Updated by Alex Lost about 1 month ago

This bug quite ruined our environment.
Will be very greatfull for hotfix.

#5 Updated by Fiden Galvez 17 days ago

Hi Victor:
Please could you share again the fix, cause he link looks like it is dead.

Thank you

#6 Updated by Viktor Gurov 17 days ago

Fiden Galvez wrote:

Hi Victor:
Please could you share again the fix, cause he link looks like it is dead.

Also available in: Atom PDF