Actions
Bug #11818
closedMixed use of aliases in a port range produces unloadable ruleset
Start date:
04/19/2021
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:
All
Description
Using a combination of port numbers or system aliases and user ports aliases in a port forward port range creates a ruleset that cannot be loaded.
For example the following config:
<nat> <rule> <source> <any></any> </source> <destination> <network>wanip</network> <port>22-ssh_test</port> </destination> <ipprotocol>inet</ipprotocol> <protocol>tcp</protocol> <target>192.168.180.59</target> <local-port>ssh_test</local-port> <interface>wan</interface> <descr><![CDATA[Test PF]]></descr> <associated-rule-id>nat_607d73f09fd0a2.78314883</associated-rule-id> </rule> </nat> <aliases> <alias> <name>ssh_test</name> <type>port</type> <address>22</address> <descr></descr> </alias> </aliases>
Creates a ruleset:
# User Aliases ssh_test = "{ 22 }" # NAT Inbound Redirects rdr on vtnet0 inet proto tcp from any to 172.21.16.180 port 22:ssh_test -> 192.168.180.59 port 22
Which then fails to load with the error:
General Unresolvable destination port alias 'ssh_test--22' for rule 'NAT Test PF' @ 2021-04-19 13:13:39 Filter Reload There were error(s) loading the rules: /tmp/rules.debug:56: unknown port ssh_test - The line in question reads [56]: rdr on vtnet0 inet proto tcp from any to 172.21.16.180 port 22:ssh_test -> 192.168.180.59 port 22 @ 2021-04-19 13:13:40
Tested in:
2.5.1-RELEASE (amd64) built on Mon Apr 12 07:50:14 EDT 2021 FreeBSD 12.2-STABLE
Updated by Viktor Gurov over 3 years ago
I see PHP error when trying to reproduce the same fw rules (pfSense 2.6.0.a.20210416.0100):
Crash report details: PHP Errors: [19-Apr-2021 16:38:16 Europe/Moscow] PHP Warning: A non-numeric value encountered in /usr/local/www/firewall_nat.php on line 145
Updated by Viktor Gurov over 3 years ago
extra input validation:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/258
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Plus Target Version set to 21.09
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Updated by Viktor Gurov over 3 years ago
- % Done changed from 0 to 100
Applied in changeset 234fbf04cbb6ab2cf64f2e7491b135e9de31af07.
Updated by Steve Wheeler over 3 years ago
This is fixed in 21.09.
Trying to use a combination of aliases and ports is rejected:
The following input errors were detected: The field Redirect target IP is required. Destination port range From/To values must a port number or alias, but not both.
Tested:
21.09-BETA (amd64) built on Tue Sep 14 01:12:38 EDT 2021 FreeBSD 12.2-STABLE
Updated by Chris W over 3 years ago
Also confirming the attempted combination use of aliases and ports on 2.6 Development:
The following input errors were detected: Destination port range From/To values must a port number or alias, but not both.
Tested:
2.6.0-DEVELOPMENT (amd64) built on Tue Sep 14 01:09:53 EDT 2021 FreeBSD 12.2-STABLE
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Actions