Project

General

Profile

Actions

Todo #15590

open

Add input validation for duplicate 1-1 NAT rules

Added by Georgiy Tyutyunnik 6 months ago. Updated 6 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

If two 1-1 NAT rules are present with overlapping external or internal IPs, pf NAT ruleset doesn't load the 2nd rule but GUI doesn't present any errors upon creating the second rule, and Generated Ruleset correctly lists both 1-1 NAT rules as present.
Either the 1-1 rule needs to be loaded into ruleset properly, or GUI should warn/forbid users on creation
redacted client pf ruleset files attached


Files

redacted_pf_rulesets.txt (667 Bytes) redacted_pf_rulesets.txt Georgiy Tyutyunnik, 07/01/2024 02:41 PM
Actions #1

Updated by Jim Pingle 6 months ago

  • Status changed from New to Confirmed

I also tested this and saw the same behavior. Generated ruleset has two binat lines with different external addresses, but pfctl -sn output only has the first binat rule.

Actions #2

Updated by Georgiy Tyutyunnik 6 months ago

earlier versions (up to 22.05) also don't create duplicate 1-1 NAT rules
seems like pf was operating under the same logic in this case for quite a while

Actions #3

Updated by Marcos M 6 months ago

  • Tracker changed from Regression to Todo
  • Subject changed from pf NAT ruleset can't have overlapping 1-1 NAT rules to Add input validation for overlapping 1-1 NAT rules
Actions #4

Updated by Marcos M 6 months ago

  • Subject changed from Add input validation for overlapping 1-1 NAT rules to Add input validation for duplicate 1-1 NAT rules
Actions

Also available in: Atom PDF