Project

General

Profile

Actions

Bug #12385

open

deleteVIP() does not check 1:1 NAT and Outbound NAT rules

Added by Viktor Gurov 3 months ago. Updated about 1 month ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
Category:
Virtual IP Addresses
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

It is possible to delete the Virtual IP that is used in 1:1 NAT rules (destination) and Outbound NAT rules (Translation Address)
additional input checks needed

see also #12356

Actions #2

Updated by Jim Pingle 3 months ago

This should not be enforced strictly. Not all NAT rules need a VIP. It's possible someone may be removing an unnecessary VIP if upstream changed to routing an address to the firewall, for example. Or it may be an 'other' type VIP which isn't needed at all.

We don't have a good way to determine if it's necessary since it depends on the end user environment and how their upstream delivers the traffic to the firewall.

Unlike with IPsec, NAT rules don't use an address as an interface binding, so the two scenarios are not equivalent.

Actions #3

Updated by Jim Pingle 3 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to CE-Next
  • Plus Target Version set to 22.01
Actions #4

Updated by Jim Pingle about 1 month ago

  • Target version changed from CE-Next to 2.6.0
Actions

Also available in: Atom PDF