Project

General

Profile

Actions
Copy link

Bug #12168

closed

1:1 NAT rule with internal IP address of "Any" results in an invalid firewall rule

Added by Marcos M over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Rules / NAT
Target version:
2.6.0
Start date:
07/26/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

  1. Create a new 1:1 NAT rule
  2. Choose interface / external subnet IP
  3. Select Any for Internal IP
  4. Save/Apply

Result:

There were error(s) loading the rules: /tmp/rules.debug:45: syntax error - The line in question reads [45]: binat on vmx0 inet from  to any -> 10.0.5.215

On previous pfSense versions, a "valid" rule would be created as: binat on vmx0 inet from any to any -> 10.0.5.215

If from any is invalid, then the rule should be disabled on upgrade, and input validation should catch it when it gets saved/re-enabled by the user. If it's supposed to be valid to account for a niche case, then the resulting pf rule should be valid.

Actions
Copy link
 #2

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
Actions
Copy link
 #3

Updated by Marcos M over 3 years ago

  • Status changed from Pull Request Review to Resolved

Rule created correctly:
binat on vmx0 inet from any to any -> 10.0.5.201

Tested on:
21.09-DEVELOPMENT (amd64)
built on Sun Aug 08 01:12:39 EDT 2021

Actions
Copy link
 #4

Updated by Viktor Gurov over 3 years ago

  • Assignee set to Viktor Gurov

Merged

Actions
Copy link
 #5

Updated by Viktor Gurov over 3 years ago

  • Status changed from Resolved to Feedback

Please check on the latest snapshot

Actions
Copy link
 #6

Updated by Alhusein Zawi over 3 years ago

binat on em1 inet all -> 50.50.50.111

2.6.0.a.20210814.1404

Actions
Copy link
 #7

Updated by Jim Pingle about 3 years ago

  • Subject changed from Selecting Any for Internal IP on 1:1 NAT results in an invalid pf rule to 1:1 NAT rule with internal IP address of "Any" results in an invalid firewall rule

Updating subject for release notes.

Actions
Copy link
 #8

Updated by Danilo Zrenjanin about 3 years ago

  • Status changed from Feedback to Resolved

Tested on the:

2.6.0-DEVELOPMENT (amd64)
built on Thu Sep 30 01:08:51 EDT 2021
FreeBSD 12.2-STABLE

No errors while reloading the filter. Ticket resolved.

Actions
Copy link
 #9

Updated by Jim Pingle about 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions
Copy link

Also available in: Atom PDF