Actions
Bug #4564
closed
DHCP WAN without an IP address can create an invalid ruleset with NAT reflection and destination any
Start date:
03/30/2015
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.1
Affected Architecture:
Description
If the following events happen, invalid rules may be generated:
- DHCP WAN has link but the interface cannot obtain an IP address (leaving the interface set to 0.0.0.0/8 while attempting to obtain an IP address)
- Port forwards are present
- NAT reflection is enabled and set to Pure NAT mode
The destination can in some cases be "/8" (without an address) or empty, depending on the destination set in the port forwards (e.g. "any")
One example:
There were error(s) loading the rules: /tmp/rules.debug:62: syntax error - The line in question reads [62]: rdr on { re2 re0 openvpn } proto tcp from any to /8 port 81 -> 192.168.1.11
Updated by Ermal Luçi over 9 years ago
- Status changed from New to Feedback
I put a fix for this though more testing is needed.
Updated by Chris Buechler over 9 years ago
- Subject changed from DHCP WAN without an IP address can create an invalid ruleset with NAT reflection to DHCP WAN without an IP address can create an invalid ruleset with NAT reflection and destination any
- Status changed from Feedback to Resolved
It's not very easily replicable if you just let dhclient sit there, but if you 'ifconfig em0 inet 0.0.0.0 netmask 255.0.0.0", it immediately shows the issue. FilterIfList was returning null for its sn until the ifconfig, at which point it started returning 8, with null for IP. The latter is the circumstance that causes this.
It's specific to only port forwards with a destination of "any".
Fix I just pushed confirmed to work.
Actions