Bug #13015
closed
NAT generates duplicate ``no nat on`` rules for port forwards with a destination of ``Any``
100%
Description
Port forwards with a destination of Any get extra no nat on NAT rules which can end up duplicated across multiple port forwards.
For example this port forward is configured to redirect DNS to localhost but with a destination of Any (which isn't optimal, but it does induce the problem):
# NAT Inbound Redirects
rdr on vtnet1 inet proto { tcp udp } from any to any port 53 -> 127.0.0.1
no nat on vtnet1 inet proto tcp from (vtnet1) to 10.103.0.0/24
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 53 -> (vtnet1)
Note that the no nat on rule is not unique to this port, only the LAN subnet. Thus if there are multiple port forwards configured the same way, the rule is duplicated unnecessarily.
Related issues
Updated by Jim Pingle over 2 years ago
- Related to Bug #13012: NAT Reflection generates duplicate rules when internal interface contains multiple VIPs in the same subnet added
Updated by Jim Pingle over 2 years ago
- Related to Regression #13011: Ruleset can fail to load on snapshot from March 31st added
Updated by Viktor Gurov over 2 years ago
- Assignee set to Viktor Gurov
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback
Updated by Viktor Gurov over 2 years ago
- % Done changed from 0 to 100
Applied in changeset b409b29c0e549d966aed312d3ec53b8ae4d0fe29.
Updated by Danilo Zrenjanin over 2 years ago
Tested the patch on the:
2.7.0-DEVELOPMENT (amd64) built on Sat Apr 09 06:19:35 UTC 2022 FreeBSD 12.3-STABLE
Adding another rule with destination ANY doesn't add another 'no nat on' rule.
# NAT Inbound Redirects
rdr on vtnet1.20 inet proto { tcp udp } from any to any port 53 -> 127.0.0.1
no nat on vtnet1.20 inet proto tcp from (vtnet1.20) to 192.168.20.0/24
nat on vtnet1.20 inet proto tcp from 192.168.20.0/24 to 127.0.0.1 port 53 -> (vtnet1.20)
rdr on vtnet1.20 inet proto { tcp udp } from any to any port 8080 -> 127.0.0.1
nat on vtnet1.20 inet proto tcp from 192.168.20.0/24 to 127.0.0.1 port 8080 -> (vtnet1.20)
It looks fine. However, I expected this to work without the patch with today's release.
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved
It's OK on the latest snap for me, no need to apply the patch manually.
Before upgrade:
# NAT Inbound Redirects
rdr on vtnet1 inet proto { tcp udp } from any to any port 853 -> 127.0.0.1
no nat on vtnet1 inet proto tcp from (vtnet1) to 10.103.0.0/24
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 853 -> (vtnet1)
rdr on vtnet1 inet proto { tcp udp } from any to any port 53 -> 127.0.0.1
no nat on vtnet1 inet proto tcp from (vtnet1) to 10.103.0.0/24
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 53 -> (vtnet1)
After upgrade to 2.7.0.a.20220411.0600:
# NAT Inbound Redirects
rdr on vtnet1 inet proto { tcp udp } from any to any port 853 -> 127.0.0.1
no nat on vtnet1 inet proto tcp from (vtnet1) to 10.103.0.0/24
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 853 -> (vtnet1)
rdr on vtnet1 inet proto { tcp udp } from any to any port 53 -> 127.0.0.1
nat on vtnet1 inet proto tcp from 10.103.0.0/24 to 127.0.0.1 port 53 -> (vtnet1)