Project

General

Profile

Bug #4564

DHCP WAN without an IP address can create an invalid ruleset with NAT reflection and destination any

Added by Jim Pingle about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
03/30/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.1
Affected Architecture:

Description

If the following events happen, invalid rules may be generated:
  • DHCP WAN has link but the interface cannot obtain an IP address (leaving the interface set to 0.0.0.0/8 while attempting to obtain an IP address)
  • Port forwards are present
  • NAT reflection is enabled and set to Pure NAT mode

The destination can in some cases be "/8" (without an address) or empty, depending on the destination set in the port forwards (e.g. "any")

One example:

There were error(s) loading the rules: /tmp/rules.debug:62: syntax error - The line in question reads [62]: rdr on { re2 re0 openvpn } proto tcp from any to /8 port 81 -> 192.168.1.11

Associated revisions

Revision b9115c26 (diff)
Added by Ermal Luçi about 4 years ago

Prevent empty addresses for being put in the ruleset. Ticket #4564

Revision f6f11800 (diff)
Added by Ermal Luçi about 4 years ago

Prevent empty addresses for being put in the ruleset. Ticket #4564

Revision 5274ecf0 (diff)
Added by Chris Buechler about 4 years ago

Skip reflection rdrs where the interface doesn't have an IP. Ticket #4564

Revision eae4f953 (diff)
Added by Chris Buechler about 4 years ago

Skip reflection rdrs where the interface doesn't have an IP. Ticket #4564

History

#1 Updated by Ermal Luçi about 4 years ago

  • Status changed from New to Feedback

I put a fix for this though more testing is needed.

#2 Updated by Chris Buechler about 4 years ago

  • Subject changed from DHCP WAN without an IP address can create an invalid ruleset with NAT reflection to DHCP WAN without an IP address can create an invalid ruleset with NAT reflection and destination any
  • Status changed from Feedback to Resolved

It's not very easily replicable if you just let dhclient sit there, but if you 'ifconfig em0 inet 0.0.0.0 netmask 255.0.0.0", it immediately shows the issue. FilterIfList was returning null for its sn until the ifconfig, at which point it started returning 8, with null for IP. The latter is the circumstance that causes this.

It's specific to only port forwards with a destination of "any".

Fix I just pushed confirmed to work.

Also available in: Atom PDF