Project

General

Profile

Actions

Regression #14719

closed

IPv4+IPv6 outbound NAT rule expands to invalid rule set

Added by Chris Linstruth over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Force Exclusion
Affected Version:
Affected Architecture:

Description

A misconfigured outbound NAT rule that used to load now stops pf from loading the rule set.

First seen on:
23.09-DEVELOPMENT (amd64)
built on Sat Aug 26 17:37:15 UTC 2023
FreeBSD 14.0-ALPHA2

Same configuration was not throwing an error on 23.05.1

There were error(s) loading the rules: /tmp/rules.debug:115: rule expands to no valid combination - The line in question reads [115]: nat on $WAN inet6 from 172.25.232.104/32 port 5060 to any -> 2001:470:e01a:7fff::12ef/128 port 1024:65535
@ 2023-08-27 12:11:37

The outbound NAT rule in question is:

Interface: WAN
Address Family: IPv4+IPv6
Protocol: Any
Source: Network or Alias: 172.25.232.104/32 Port 5060
Destination: Any
Translation: WAN Address

Changing the rule to IPv4 only allows the rule set to load.

The WebGUI does not prohibit changing it back to IPv4+IPv6 and it breaks again.

Doing the same thing on 2.8.0 (Aug 5) does not create the inet6 rule and the ruleset loads.

Similar to #11548

Actions #1

Updated by Chris Linstruth over 1 year ago

  • Subject changed from NAT rule expands to no valid combination - The line in question reads... IPv4+IPv6 to IPv4+IPv6 outbound NAT rule expands to invalid rule set
Actions #2

Updated by Jim Pingle over 1 year ago

  • Tracker changed from Bug to Regression
  • Project changed from pfSense Plus to pfSense
  • Category changed from Rules / NAT to Rules / NAT
  • Assignee set to Marcos M
  • Priority changed from Normal to High
  • Target version set to 2.8.0
  • Release Notes changed from Default to Force Exclusion
  • Affected Plus Version deleted (23.09)
  • Plus Target Version set to 23.09

Not specific to Plus.

Probably related to #3288 or other recent changes in that area by Marcos.

Actions #3

Updated by Marcos M over 1 year ago

  • Status changed from New to In Progress
Actions #4

Updated by Marcos M over 1 year ago

  • Status changed from In Progress to Pull Request Review
Actions #5

Updated by Marcos M over 1 year ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Danilo Zrenjanin over 1 year ago

  • Status changed from Feedback to Confirmed

I can confirm this behavior on the:

23.09-DEVELOPMENT (amd64)
built on Sat Aug 26 04:50:14 UTC 2023
FreeBSD 14.0-ALPHA2

There were error(s) loading the rules: /tmp/rules.debug:55: rule expands to no valid combination - The line in question reads [55]: nat on $WAN inet6 from 172.25.232.104/32 port 5060 to any -> (vtnet1.33) port 1024:65535 

Actions #7

Updated by Danilo Zrenjanin over 1 year ago

  • Status changed from Confirmed to Resolved

After applying the patch, the same rule set loads without any issues.

# Outbound NAT rules (manual)
nat on $WAN inet from 172.25.232.104/32 port 5060 to any -> 192.168.33.30/32 port 1024:65535

I am marking this ticket resolved.

Actions #8

Updated by Jim Pingle about 1 year ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF