Project

General

Profile

Actions

Bug #3560

closed

Disabled Static Route not fully disabled

Added by Phillip Davis almost 10 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Low
Category:
Routing
Target version:
Start date:
03/31/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

Add a gateway to an internal router behind LAN. Add a static route to some private IPv4 subnet behind that gateway. Automatic Outbound NAT is enabled. The system defines a route in the routing table and includes that subnet in "tonatsubnets" list in the pf rule set, and correctly NATs that subnet out on WAN good stuff.
Now edit the static route, select "Disabled" and save, apply. The route is removed from the routing table - good. But "tonatsubnets" still contains the subnet and thus there are still NAT rule/s outbound for that subnet - should not be like that.
It looks like many bits of code do not check and process only the "enabled" static routes.
/etc/inc/util.inc:function get_staticroutes() returns all routes, enabled or disabled.
For validation, that is probably good - e.g. when deleting an alias it is good to check if the alias is used even in a disabled static route.
But for live implementation code, just the enabled static routes should be returned for the caller to process and put into conf file, pf rule set...
Perhaps add a parameter so the caller can decide if they want all, or just the enabled static routes. Then adjust the existing calls to get_staticroutes().

Also, /etc/inc/services.inc function services_dhcrelay6_configure() does some processing of $config['staticroutes']['route'] without ever filtering out "disabled" static routes. So that code is going to process static routes that are disabled, whatever side-effect that will have.

I looked at this because of forum https://forum.pfsense.org/index.php?topic=74348.msg406471#msg406471 where Dayid Alan noted that he resolved his issue by actually deleting a static route that had been just disabled. I expect that a review of the calls to get_staticroutes() as proposed above will result in this forum issue being fixed also.

Actions

Also available in: Atom PDF