Project

General

Profile

Actions

Bug #12385

closed

deleteVIP() does not check 1:1 NAT and Outbound NAT rules

Added by Viktor Gurov over 2 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Virtual IP Addresses
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

It is possible to delete the Virtual IP that is used in 1:1 NAT rules (destination) and Outbound NAT rules (Translation Address)
additional input checks needed

see also #12356

Actions #2

Updated by Jim Pingle over 2 years ago

This should not be enforced strictly. Not all NAT rules need a VIP. It's possible someone may be removing an unnecessary VIP if upstream changed to routing an address to the firewall, for example. Or it may be an 'other' type VIP which isn't needed at all.

We don't have a good way to determine if it's necessary since it depends on the end user environment and how their upstream delivers the traffic to the firewall.

Unlike with IPsec, NAT rules don't use an address as an interface binding, so the two scenarios are not equivalent.

Actions #3

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to CE-Next
  • Plus Target Version set to 22.01
Actions #4

Updated by Jim Pingle over 2 years ago

  • Target version changed from CE-Next to 2.6.0
Actions #5

Updated by Jim Pingle about 2 years ago

  • Target version changed from 2.6.0 to CE-Next
  • Plus Target Version changed from 22.01 to 22.05
Actions #6

Updated by Jim Pingle almost 2 years ago

  • Plus Target Version changed from 22.05 to 22.09
Actions #7

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.09 to 22.11
Actions #8

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #9

Updated by Jim Pingle over 1 year ago

  • Assignee deleted (Viktor Gurov)
Actions #10

Updated by Jim Pingle over 1 year ago

  • Status changed from Pull Request Review to Rejected
  • Target version deleted (CE-Next)
  • Plus Target Version deleted (23.01)

There is no easy way to determine if this is a fatal error or not. If the upstream routes the block to the firewall, no VIP is needed, so it's OK to delete. But the firewall has no way to know what the upstream is doing. Even in cases when it's in subnet it isn't always clear.

Closing.

Actions

Also available in: Atom PDF