Bug #3560
closedDisabled Static Route not fully disabled
100%
Description
Add a gateway to an internal router behind LAN. Add a static route to some private IPv4 subnet behind that gateway. Automatic Outbound NAT is enabled. The system defines a route in the routing table and includes that subnet in "tonatsubnets" list in the pf rule set, and correctly NATs that subnet out on WAN good stuff.
Now edit the static route, select "Disabled" and save, apply. The route is removed from the routing table - good. But "tonatsubnets" still contains the subnet and thus there are still NAT rule/s outbound for that subnet - should not be like that.
It looks like many bits of code do not check and process only the "enabled" static routes.
/etc/inc/util.inc:function get_staticroutes() returns all routes, enabled or disabled.
For validation, that is probably good - e.g. when deleting an alias it is good to check if the alias is used even in a disabled static route.
But for live implementation code, just the enabled static routes should be returned for the caller to process and put into conf file, pf rule set...
Perhaps add a parameter so the caller can decide if they want all, or just the enabled static routes. Then adjust the existing calls to get_staticroutes().
Also, /etc/inc/services.inc function services_dhcrelay6_configure() does some processing of $config['staticroutes']['route'] without ever filtering out "disabled" static routes. So that code is going to process static routes that are disabled, whatever side-effect that will have.
I looked at this because of forum https://forum.pfsense.org/index.php?topic=74348.msg406471#msg406471 where Dayid Alan noted that he resolved his issue by actually deleting a static route that had been just disabled. I expect that a review of the calls to get_staticroutes() as proposed above will result in this forum issue being fixed also.
Updated by Phillip Davis over 10 years ago
I didn't bother putting a target version on this, IMHO I wouldn't hold up any release for this! The simple workaround is just to actually delete the static route, rather than only disabling it.
Updated by Phillip Davis over 10 years ago
After doing testing, I deleted my static route. But there was no subsystem-dirty prompt to apply the change. The pf rule set "tonatsubnets" list still contained the subnet from the static route. After deleting the gateway, I got the apply button, and that rebuilt the pf rule set and "tonatsubnets" correctly lost the deleted static route.
Updated by Chris Buechler about 9 years ago
- Status changed from New to Confirmed
- Priority changed from Normal to Low
- Affected Version changed from 2.1 to All
Updated by Phillip Davis almost 8 years ago
Updated by Renato Botelho almost 8 years ago
- Status changed from Confirmed to Feedback
- Assignee set to Renato Botelho
- Target version set to 2.4.0
- % Done changed from 0 to 100
PR has been merged, thanks!
Updated by Jim Pingle almost 8 years ago
- Target version changed from 2.4.0 to 2.3.3