Project

General

Profile

Bug #3173

NEGATE_ROUTE rule does not respect port numbers

Added by Phillip Davis over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
Ermal Luçi
Category:
Rules / NAT
Target version:
Start date:
08/31/2013
Due date:
% Done:

100%

Estimated time:
Affected Version:
Affected Architecture:

Description

See forum: http://forum.pfsense.org/index.php/topic,65886.0.html

If I add a rule on LAN to pass source all, destination all port 123 (NTP) then I get rules like this in /tmp/rules.debug:

pass in quick on $LAN1 inet proto tcp from any to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on $LAN1 $GWNTPGWG inet proto tcp from any to any port 123 flags S/SA keep state label "USER_RULE: Test NTP"

<negate_networks> has a correct list of the networks that are on/across OpenVPN.
The first rule here allows traffic for any port, when I think it should have "port 123" in it to restrict the pass to just port 123.
The "port" clause is generated in filter.inc filter_generate_address, along with the whole "destination" clause. So it is not necessarily trivial to extract the port clause right where the negate_networks rule is written. So I will leave it to Ermal (I suspect) to sort out what code solution he thinks is neatest.
Since this is a situation where the underlying pf rules can pass more traffic than the user intended, I have made this high priority for 2.1.

Associated revisions

Revision 81d81b94 (diff)
Added by Ermal Luçi over 6 years ago

Fixes #3173 if any port information exists on the rule than put it on the NEGATE rule generated.

Revision 44f0f09b (diff)
Added by Ermal Luçi over 6 years ago

Fixes #3173 if any port information exists on the rule than put it on the NEGATE rule generated.

History

#1 Updated by Ermal Luçi over 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Ermal Luçi over 6 years ago

#3 Updated by Phillip Davis over 6 years ago

The change did not quite make the snapshot of 2.1-RC1 (i386)
built on Tue Sep 3 14:08:44 EDT 2013. I copied the /etc/inc/filter.inc manually and it works. The port spec appears in the negate rule.

#4 Updated by Renato Botelho over 6 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF