Bug #12385
closed
deleteVIP() does not check 1:1 NAT and Outbound NAT rules
0%
Description
It is possible to delete the Virtual IP that is used in 1:1 NAT rules (destination) and Outbound NAT rules (Translation Address)
additional input checks needed
see also #12356
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
This should not be enforced strictly. Not all NAT rules need a VIP. It's possible someone may be removing an unnecessary VIP if upstream changed to routing an address to the firewall, for example. Or it may be an 'other' type VIP which isn't needed at all.
We don't have a good way to determine if it's necessary since it depends on the end user environment and how their upstream delivers the traffic to the firewall.
Unlike with IPsec, NAT rules don't use an address as an interface binding, so the two scenarios are not equivalent.
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version set to CE-Next
- Plus Target Version set to 22.01
Updated by Jim Pingle over 3 years ago
- Target version changed from CE-Next to 2.6.0
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to CE-Next
- Plus Target Version changed from 22.01 to 22.05
Updated by Jim Pingle almost 3 years ago
- Plus Target Version changed from 22.05 to 22.09
Updated by Jim Pingle almost 3 years ago
- Plus Target Version changed from 22.09 to 22.11
Updated by Jim Pingle over 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle over 2 years ago
- Status changed from Pull Request Review to Rejected
- Target version deleted (
CE-Next) - Plus Target Version deleted (
23.01)
There is no easy way to determine if this is a fatal error or not. If the upstream routes the block to the firewall, no VIP is needed, so it's OK to delete. But the firewall has no way to know what the upstream is doing. Even in cases when it's in subnet it isn't always clear.
Closing.