Project

General

Profile

Actions
Copy link

Todo #15590

open

Add input validation for duplicate 1-1 NAT rules

Added by Georgiy Tyutyunnik 17 days ago. Updated 14 days ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

If two 1-1 NAT rules are present with overlapping external or internal IPs, pf NAT ruleset doesn't load the 2nd rule but GUI doesn't present any errors upon creating the second rule, and Generated Ruleset correctly lists both 1-1 NAT rules as present.
Either the 1-1 rule needs to be loaded into ruleset properly, or GUI should warn/forbid users on creation
redacted client pf ruleset files attached

Files

redacted_pf_rulesets.txt (667 Bytes) redacted_pf_rulesets.txt Georgiy Tyutyunnik, 07/01/2024 02:41 PM
Actions
Copy link
 #1

Updated by Jim Pingle 17 days ago

  • Status changed from New to Confirmed

I also tested this and saw the same behavior. Generated ruleset has two binat lines with different external addresses, but pfctl -sn output only has the first binat rule.

Actions
Copy link
 #2

Updated by Georgiy Tyutyunnik 14 days ago

earlier versions (up to 22.05) also don't create duplicate 1-1 NAT rules
seems like pf was operating under the same logic in this case for quite a while

Actions
Copy link
 #3

Updated by Marcos M 14 days ago

  • Tracker changed from Regression to Todo
  • Subject changed from pf NAT ruleset can't have overlapping 1-1 NAT rules to Add input validation for overlapping 1-1 NAT rules
Actions
Copy link
 #4

Updated by Marcos M 14 days ago

  • Subject changed from Add input validation for overlapping 1-1 NAT rules to Add input validation for duplicate 1-1 NAT rules
Actions
Copy link

Also available in: Atom PDF