Regression #14719
closedIPv4+IPv6 outbound NAT rule expands to invalid rule set
100%
Description
A misconfigured outbound NAT rule that used to load now stops pf from loading the rule set.
First seen on:
23.09-DEVELOPMENT (amd64)
built on Sat Aug 26 17:37:15 UTC 2023
FreeBSD 14.0-ALPHA2
Same configuration was not throwing an error on 23.05.1
There were error(s) loading the rules: /tmp/rules.debug:115: rule expands to no valid combination - The line in question reads [115]: nat on $WAN inet6 from 172.25.232.104/32 port 5060 to any -> 2001:470:e01a:7fff::12ef/128 port 1024:65535
@ 2023-08-27 12:11:37
The outbound NAT rule in question is:
Interface: WAN
Address Family: IPv4+IPv6
Protocol: Any
Source: Network or Alias: 172.25.232.104/32 Port 5060
Destination: Any
Translation: WAN Address
Changing the rule to IPv4 only allows the rule set to load.
The WebGUI does not prohibit changing it back to IPv4+IPv6 and it breaks again.
Doing the same thing on 2.8.0 (Aug 5) does not create the inet6 rule and the ruleset loads.
Similar to #11548
Updated by Chris Linstruth over 1 year ago
- Subject changed from NAT rule expands to no valid combination - The line in question reads... IPv4+IPv6 to IPv4+IPv6 outbound NAT rule expands to invalid rule set
Updated by Jim Pingle over 1 year ago
- Tracker changed from Bug to Regression
- Project changed from pfSense Plus to pfSense
- Category changed from Rules / NAT to Rules / NAT
- Assignee set to Marcos M
- Priority changed from Normal to High
- Target version set to 2.8.0
- Release Notes changed from Default to Force Exclusion
- Affected Plus Version deleted (
23.09) - Plus Target Version set to 23.09
Not specific to Plus.
Probably related to #3288 or other recent changes in that area by Marcos.
Updated by Marcos M over 1 year ago
- Status changed from In Progress to Pull Request Review
Updated by Marcos M over 1 year ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 3ac7816f637b54cb4fb958fa0a439c147e13baff.
Updated by Danilo Zrenjanin over 1 year ago
- Status changed from Feedback to Confirmed
I can confirm this behavior on the:
23.09-DEVELOPMENT (amd64) built on Sat Aug 26 04:50:14 UTC 2023 FreeBSD 14.0-ALPHA2
There were error(s) loading the rules: /tmp/rules.debug:55: rule expands to no valid combination - The line in question reads [55]: nat on $WAN inet6 from 172.25.232.104/32 port 5060 to any -> (vtnet1.33) port 1024:65535
Updated by Danilo Zrenjanin over 1 year ago
- Status changed from Confirmed to Resolved
After applying the patch, the same rule set loads without any issues.
# Outbound NAT rules (manual) nat on $WAN inet from 172.25.232.104/32 port 5060 to any -> 192.168.33.30/32 port 1024:65535
I am marking this ticket resolved.
Updated by Jim Pingle about 1 year ago
- Target version changed from 2.8.0 to 2.7.1