Regression #11751: Input validation prevents creating 1:1 NAT rules on IPsec - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Regression #11751

closed

Input validation prevents creating 1:1 NAT rules on IPsec

Added by Steve Wheeler over 3 years ago. Updated over 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Viktor Gurov

Category:

Rules / NAT

Target version:

2.5.2

Start date:

03/29/2021

Due date:

% Done:

Estimated time:

Plus Target Version:

21.05

Release Notes:

Default

Affected Version:

2.5.0

Affected Architecture:

All

Description

Additional input validation in the GUI in 21.02/2.5 prevents creating a 1:1 NAT rule on the IPSec interface because it expects an IP family and enc doesnot have one:

The following input errors were detected:

    The interface do not have address from the specified address family.

Should also read "interface does not have address".

This is an edge case because NAT is not expected to work on IPSec. However there are situation where us can work and did in pfSense < 2.5.
Specifically if the P2 in use carries 0.0.0.0/0 it will carry the NAT'd traffic still.

This only applies to 1:1 NAT

Tested in:

21.02.2-RC (arm64)
built on Mon Mar 29 03:04:00 EDT 2021
FreeBSD 12.2-STABLE

Files

211.diff (3.21 KB) 211.diff

Viktor Gurov, 04/23/2021 12:12 AM

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Viktor Gurov over 3 years ago

Tracker changed from Bug to Regression

fix also includes OpenVPN and L2TP VPN input validation:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/211

Actions

Copy link

Updated by Jim Pingle over 3 years ago

Status changed from New to Pull Request Review

Actions

Copy link

Updated by Steve Wheeler over 3 years ago

Tested here against 21.02 snapshot. Works as expected.

Actions

Copy link

Updated by Alex Lost over 3 years ago

This bug quite ruined our environment.
Will be very greatfull for hotfix.

Actions

Copy link

Updated by Fiden Galvez over 3 years ago

Hi Victor:
Please could you share again the fix, cause he link looks like it is dead.

Thank you

Actions

Copy link

Updated by Viktor Gurov over 3 years ago

File 211.diff 211.diff added

Fiden Galvez wrote:

Hi Victor:
Please could you share again the fix, cause he link looks like it is dead.

Actions

Copy link

Updated by Jim Pingle over 3 years ago

Status changed from Pull Request Review to Feedback
Target version changed from CE-Next to 2.6.0

PR was merged yesterday.

Actions

Copy link

Updated by Jim Pingle over 3 years ago

Plus Target Version set to 21.05

Actions

Copy link

Updated by Jim Pingle over 3 years ago

Already in 21.05 branch.

Actions

Copy link

#10

Updated by Jim Pingle over 3 years ago

Subject changed from Input validation prevents 1:1 NAT rules on IPSec to Input validation prevents creating 1:1 NAT rules on IPsec
Category changed from Web Interface to Rules / NAT

Updating subject for release notes.

Actions

Copy link

#11