Actions
Bug #11818
closed
Mixed use of aliases in a port range produces unloadable ruleset
Start date:
04/19/2021
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:
All
Description
Using a combination of port numbers or system aliases and user ports aliases in a port forward port range creates a ruleset that cannot be loaded.
For example the following config:
<nat>
<rule>
<source>
<any></any>
</source>
<destination>
<network>wanip</network>
<port>22-ssh_test</port>
</destination>
<ipprotocol>inet</ipprotocol>
<protocol>tcp</protocol>
<target>192.168.180.59</target>
<local-port>ssh_test</local-port>
<interface>wan</interface>
<descr><![CDATA[Test PF]]></descr>
<associated-rule-id>nat_607d73f09fd0a2.78314883</associated-rule-id>
</rule>
</nat>
<aliases>
<alias>
<name>ssh_test</name>
<type>port</type>
<address>22</address>
<descr></descr>
</alias>
</aliases>
Creates a ruleset:
# User Aliases
ssh_test = "{ 22 }"
# NAT Inbound Redirects
rdr on vtnet0 inet proto tcp from any to 172.21.16.180 port 22:ssh_test -> 192.168.180.59 port 22
Which then fails to load with the error:
General
Unresolvable destination port alias 'ssh_test--22' for rule 'NAT Test PF' @ 2021-04-19 13:13:39
Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:56: unknown port ssh_test - The line in question reads [56]: rdr on vtnet0 inet proto tcp from any to 172.21.16.180 port 22:ssh_test -> 192.168.180.59 port 22
@ 2021-04-19 13:13:40
Tested in:
2.5.1-RELEASE (amd64) built on Mon Apr 12 07:50:14 EDT 2021 FreeBSD 12.2-STABLE
Updated by Viktor Gurov over 4 years ago
I see PHP error when trying to reproduce the same fw rules (pfSense 2.6.0.a.20210416.0100):
Crash report details: PHP Errors: [19-Apr-2021 16:38:16 Europe/Moscow] PHP Warning: A non-numeric value encountered in /usr/local/www/firewall_nat.php on line 145
Updated by Viktor Gurov over 4 years ago
extra input validation:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/258
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
- Plus Target Version set to 21.09
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Updated by Viktor Gurov over 4 years ago
- % Done changed from 0 to 100
Applied in changeset 234fbf04cbb6ab2cf64f2e7491b135e9de31af07.
Updated by Steve Wheeler about 4 years ago
This is fixed in 21.09.
Trying to use a combination of aliases and ports is rejected:
The following input errors were detected:
The field Redirect target IP is required.
Destination port range From/To values must a port number or alias, but not both.
Tested:
21.09-BETA (amd64) built on Tue Sep 14 01:12:38 EDT 2021 FreeBSD 12.2-STABLE
Updated by Jim Pingle about 4 years ago
- Status changed from Feedback to Resolved
Updated by Chris W about 4 years ago
Also confirming the attempted combination use of aliases and ports on 2.6 Development:
The following input errors were detected: Destination port range From/To values must a port number or alias, but not both.
Tested:
2.6.0-DEVELOPMENT (amd64) built on Tue Sep 14 01:09:53 EDT 2021 FreeBSD 12.2-STABLE
Updated by Jim Pingle about 4 years ago
- Plus Target Version changed from 21.09 to 22.01
Actions