Project

General

Profile

Actions
Copy link

Bug #13012

closed

NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Viktor Gurov
Category:
Rules / NAT
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

NAT reflection can generate multiple identical rules if the configuration contains multiple VIPs in the same subnet.

Example Setup:

  • Port forward on WAN to a host on LAN
  • LAN has three VIPs (An IP alias, a CARP, and an Alias on CARP) inside the LAN subnet
  • NAT reflection enabled in pure NAT mode

The ruleset ends up with multiple copies of the same reflection rule:

rdr on vtnet0 inet proto tcp from any to 198.51.100.6 port 222 -> 10.6.0.10 port 22
# Reflection redirect
rdr on { vtnet1  enc0 openvpn SomeWANs } inet proto tcp from any to 198.51.100.6 port 222 -> 10.6.0.10 port 22
nat on vtnet1 proto tcp from 10.6.0.0/24 to 10.6.0.10 port 22 -> 10.6.0.1 port 1024:65535
nat on vtnet1 proto tcp from 10.6.0.0/24 to 10.6.0.10 port 22 -> 10.6.0.1 port 1024:65535
nat on vtnet1 proto tcp from 10.6.0.0/24 to 10.6.0.10 port 22 -> 10.6.0.1 port 1024:65535

Looks like there are multiple entries for the same network coming back from filter_get_direct_networks_list(false); one for each VIP and the next loop in the reflection code isn't accounting for that situation.

At the very least it should keep a record of which combinations it's already added rules for and skipping those, or checking for and skipping if the rule it generates is identical to one already in the list.

Related issues

Related to Regression #13011: Ruleset can fail to load on snapshot from March 31stResolvedMateusz Guzik

Actions
Related to Bug #13015: NAT generates duplicate ``no nat on`` rules for port forwards with a destination of ``Any``ResolvedViktor Gurov

Actions
Actions
Copy link
 #1

Updated by Jim Pingle over 2 years ago

  • Related to Regression #13011: Ruleset can fail to load on snapshot from March 31st added
Actions
Copy link
 #2

Updated by Jim Pingle over 2 years ago

  • Related to Bug #13015: NAT generates duplicate ``no nat on`` rules for port forwards with a destination of ``Any`` added
Actions
Copy link
 #3

Updated by Viktor Gurov over 2 years ago

  • Assignee set to Viktor Gurov
  • Affected Version set to 2.6.0
Actions
Copy link
 #4

Updated by Jim Pingle over 2 years ago

  • Status changed from Confirmed to Pull Request Review
Actions
Copy link
 #5

Updated by Viktor Gurov over 2 years ago

  • Status changed from Pull Request Review to Feedback
Actions
Copy link
 #6

Updated by Viktor Gurov over 2 years ago

  • % Done changed from 0 to 100
Actions
Copy link
 #7

Updated by Alhusein Zawi over 2 years ago

LAN has 3 VIPs:
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
    inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
    inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
rdr on em0 inet proto tcp from any to 10.100.100.127 port 2020 -> 192.168.1.1
  1. Reflection redirect
    rdr on { em1 enc0 } inet proto tcp from any to 10.100.100.127 port 2020 -> 192.168.1.1

2.7.0.a.20220409.0600

Actions
Copy link
 #8

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF