Project

General

Profile

Actions

Bug #11818

closed

Mixed use of aliases in a port range produces unloadable ruleset

Added by Steve Wheeler over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Aliases / Tables
Target version:
Start date:
04/19/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:
All

Description

Using a combination of port numbers or system aliases and user ports aliases in a port forward port range creates a ruleset that cannot be loaded.

For example the following config:

    <nat>
        <rule>
            <source>
                <any></any>
            </source>
            <destination>
                <network>wanip</network>
                <port>22-ssh_test</port>
            </destination>
            <ipprotocol>inet</ipprotocol>
            <protocol>tcp</protocol>
            <target>192.168.180.59</target>
            <local-port>ssh_test</local-port>
            <interface>wan</interface>
            <descr><![CDATA[Test PF]]></descr>
            <associated-rule-id>nat_607d73f09fd0a2.78314883</associated-rule-id>
        </rule>
    </nat>
    <aliases>
        <alias>
            <name>ssh_test</name>
            <type>port</type>
            <address>22</address>
            <descr></descr>
        </alias>
    </aliases>

Creates a ruleset:

# User Aliases 
ssh_test = "{   22 }" 

# NAT Inbound Redirects
rdr on vtnet0 inet proto tcp from any to 172.21.16.180 port 22:ssh_test -> 192.168.180.59 port 22

Which then fails to load with the error:

General
    Unresolvable destination port alias 'ssh_test--22' for rule 'NAT Test PF' @ 2021-04-19 13:13:39
Filter Reload
    There were error(s) loading the rules: /tmp/rules.debug:56: unknown port ssh_test - The line in question reads [56]: rdr on vtnet0 inet proto tcp from any to 172.21.16.180 port 22:ssh_test -&gt; 192.168.180.59 port 22
    @ 2021-04-19 13:13:40

Tested in:

2.5.1-RELEASE (amd64)
built on Mon Apr 12 07:50:14 EDT 2021
FreeBSD 12.2-STABLE

Actions #1

Updated by Viktor Gurov over 3 years ago

I see PHP error when trying to reproduce the same fw rules (pfSense 2.6.0.a.20210416.0100):

Crash report details:

PHP Errors:
[19-Apr-2021 16:38:16 Europe/Moscow] PHP Warning:  
A non-numeric value encountered in /usr/local/www/firewall_nat.php on line 145

Actions #2

Updated by Viktor Gurov over 3 years ago

Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
  • Plus Target Version set to 21.09
Actions #4

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #5

Updated by Viktor Gurov over 3 years ago

  • % Done changed from 0 to 100
Actions #6

Updated by Steve Wheeler over 3 years ago

This is fixed in 21.09.

Trying to use a combination of aliases and ports is rejected:

The following input errors were detected:

    The field Redirect target IP is required.
    Destination port range From/To values must a port number or alias, but not both.

Tested:

21.09-BETA (amd64)
built on Tue Sep 14 01:12:38 EDT 2021
FreeBSD 12.2-STABLE

Actions #7

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved
Actions #8

Updated by Chris W over 3 years ago

Also confirming the attempted combination use of aliases and ports on 2.6 Development:

The following input errors were detected:

Destination port range From/To values must a port number or alias, but not both.

Tested:

2.6.0-DEVELOPMENT (amd64)
built on Tue Sep 14 01:09:53 EDT 2021
FreeBSD 12.2-STABLE

Actions #9

Updated by Jim Pingle about 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions

Also available in: Atom PDF