Actions
Todo #15590
openAdd input validation for duplicate 1-1 NAT rules
Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Description
If two 1-1 NAT rules are present with overlapping external or internal IPs, pf NAT ruleset doesn't load the 2nd rule but GUI doesn't present any errors upon creating the second rule, and Generated Ruleset correctly lists both 1-1 NAT rules as present.
Either the 1-1 rule needs to be loaded into ruleset properly, or GUI should warn/forbid users on creation
redacted client pf ruleset files attached
Files
Updated by Jim Pingle 6 months ago
- Status changed from New to Confirmed
I also tested this and saw the same behavior. Generated ruleset has two binat lines with different external addresses, but pfctl -sn
output only has the first binat rule.
Updated by Georgiy Tyutyunnik 6 months ago
earlier versions (up to 22.05) also don't create duplicate 1-1 NAT rules
seems like pf was operating under the same logic in this case for quite a while
Actions