Bug #13015
closed
NAT generates duplicate ``no nat on`` rules for port forwards with a destination of ``Any``
Added by Jim Pingle over 2 years ago.
Updated over 2 years ago.
Plus Target Version:
22.05
Description
Port forwards with a destination of Any get extra no nat on NAT rules which can end up duplicated across multiple port forwards.
For example this port forward is configured to redirect DNS to localhost but with a destination of Any (which isn't optimal, but it does induce the problem):
# NAT Inbound Redirects
rdr on vtnet1 inet proto { tcp udp } from any to any port 53 -> 127.0.0.1
no nat on vtnet1 inet proto tcp from (vtnet1) to 10.103.0.0/24
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 53 -> (vtnet1)
Note that the no nat on rule is not unique to this port, only the LAN subnet. Thus if there are multiple port forwards configured the same way, the rule is duplicated unnecessarily.
- Related to Bug #13012: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet added
- Related to Regression #13011: Ruleset can fail to load on snapshot from March 31st added
- Assignee set to Viktor Gurov
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Tested the patch on the:
2.7.0-DEVELOPMENT (amd64)
built on Sat Apr 09 06:19:35 UTC 2022
FreeBSD 12.3-STABLE
Adding another rule with destination ANY doesn't add another 'no nat on' rule.
# NAT Inbound Redirects
rdr on vtnet1.20 inet proto { tcp udp } from any to any port 53 -> 127.0.0.1
no nat on vtnet1.20 inet proto tcp from (vtnet1.20) to 192.168.20.0/24
nat on vtnet1.20 inet proto tcp from 192.168.20.0/24 to 127.0.0.1 port 53 -> (vtnet1.20)
rdr on vtnet1.20 inet proto { tcp udp } from any to any port 8080 -> 127.0.0.1
nat on vtnet1.20 inet proto tcp from 192.168.20.0/24 to 127.0.0.1 port 8080 -> (vtnet1.20)
It looks fine. However, I expected this to work without the patch with today's release.
- Status changed from Feedback to Resolved
It's OK on the latest snap for me, no need to apply the patch manually.
Before upgrade:
# NAT Inbound Redirects
rdr on vtnet1 inet proto { tcp udp } from any to any port 853 -> 127.0.0.1
no nat on vtnet1 inet proto tcp from (vtnet1) to 10.103.0.0/24
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 853 -> (vtnet1)
rdr on vtnet1 inet proto { tcp udp } from any to any port 53 -> 127.0.0.1
no nat on vtnet1 inet proto tcp from (vtnet1) to 10.103.0.0/24
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 53 -> (vtnet1)
After upgrade to 2.7.0.a.20220411.0600:
# NAT Inbound Redirects
rdr on vtnet1 inet proto { tcp udp } from any to any port 853 -> 127.0.0.1
no nat on vtnet1 inet proto tcp from (vtnet1) to 10.103.0.0/24
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 853 -> (vtnet1)
rdr on vtnet1 inet proto { tcp udp } from any to any port 53 -> 127.0.0.1
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 53 -> (vtnet1)
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by