Actions
Todo #15590
open
Add input validation for duplicate 1-1 NAT rules
Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Description
If two 1-1 NAT rules are present with overlapping external or internal IPs, pf NAT ruleset doesn't load the 2nd rule but GUI doesn't present any errors upon creating the second rule, and Generated Ruleset correctly lists both 1-1 NAT rules as present.
Either the 1-1 rule needs to be loaded into ruleset properly, or GUI should warn/forbid users on creation
redacted client pf ruleset files attached
Files
Updated by Jim Pingle about 1 year ago
- Status changed from New to Confirmed
I also tested this and saw the same behavior. Generated ruleset has two binat lines with different external addresses, but pfctl -sn output only has the first binat rule.
Updated by Georgiy Tyutyunnik about 1 year ago
earlier versions (up to 22.05) also don't create duplicate 1-1 NAT rules
seems like pf was operating under the same logic in this case for quite a while
Updated by Marcos M about 1 year ago
- Tracker changed from Regression to Todo
- Subject changed from pf NAT ruleset can't have overlapping 1-1 NAT rules to Add input validation for overlapping 1-1 NAT rules
Updated by Marcos M about 1 year ago
- Subject changed from Add input validation for overlapping 1-1 NAT rules to Add input validation for duplicate 1-1 NAT rules
Actions