Project

General

Profile

Actions

Bug #4564

closed

DHCP WAN without an IP address can create an invalid ruleset with NAT reflection and destination any

Added by Jim Pingle over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
03/30/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.1
Affected Architecture:

Description

If the following events happen, invalid rules may be generated:
  • DHCP WAN has link but the interface cannot obtain an IP address (leaving the interface set to 0.0.0.0/8 while attempting to obtain an IP address)
  • Port forwards are present
  • NAT reflection is enabled and set to Pure NAT mode

The destination can in some cases be "/8" (without an address) or empty, depending on the destination set in the port forwards (e.g. "any")

One example:

There were error(s) loading the rules: /tmp/rules.debug:62: syntax error - The line in question reads [62]: rdr on { re2 re0 openvpn } proto tcp from any to /8 port 81 -> 192.168.1.11

Actions #1

Updated by Ermal Luçi over 9 years ago

  • Status changed from New to Feedback

I put a fix for this though more testing is needed.

Actions #2

Updated by Chris Buechler over 9 years ago

  • Subject changed from DHCP WAN without an IP address can create an invalid ruleset with NAT reflection to DHCP WAN without an IP address can create an invalid ruleset with NAT reflection and destination any
  • Status changed from Feedback to Resolved

It's not very easily replicable if you just let dhclient sit there, but if you 'ifconfig em0 inet 0.0.0.0 netmask 255.0.0.0", it immediately shows the issue. FilterIfList was returning null for its sn until the ifconfig, at which point it started returning 8, with null for IP. The latter is the circumstance that causes this.

It's specific to only port forwards with a destination of "any".

Fix I just pushed confirmed to work.

Actions

Also available in: Atom PDF