Bug #12385
closed
deleteVIP() does not check 1:1 NAT and Outbound NAT rules
Added by Viktor Gurov over 3 years ago.
Updated over 2 years ago.
Category:
Virtual IP Addresses
Description
It is possible to delete the Virtual IP that is used in 1:1 NAT rules (destination) and Outbound NAT rules (Translation Address)
additional input checks needed
see also #12356
This should not be enforced strictly. Not all NAT rules need a VIP. It's possible someone may be removing an unnecessary VIP if upstream changed to routing an address to the firewall, for example. Or it may be an 'other' type VIP which isn't needed at all.
We don't have a good way to determine if it's necessary since it depends on the end user environment and how their upstream delivers the traffic to the firewall.
Unlike with IPsec, NAT rules don't use an address as an interface binding, so the two scenarios are not equivalent.
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version set to CE-Next
- Plus Target Version set to 22.01
- Target version changed from CE-Next to 2.6.0
- Target version changed from 2.6.0 to CE-Next
- Plus Target Version changed from 22.01 to 22.05
- Plus Target Version changed from 22.05 to 22.09
- Plus Target Version changed from 22.09 to 22.11
- Plus Target Version changed from 22.11 to 23.01
- Assignee deleted (
Viktor Gurov)
- Status changed from Pull Request Review to Rejected
- Target version deleted (
CE-Next)
- Plus Target Version deleted (
23.01)
There is no easy way to determine if this is a fatal error or not. If the upstream routes the block to the firewall, no VIP is needed, so it's OK to delete. But the firewall has no way to know what the upstream is doing. Even in cases when it's in subnet it isn't always clear.
Closing.
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by