Project

General

Profile

Actions

Bug #4640

closed

"Disable Cisco Extensions" change toggles "Auto-exclude LAN address" setting

Added by B. Derman over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
04/19/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.2
Affected Architecture:

Description

After updating from 2.2.1 to 2.2.2, in VPN -> IPsec -> Advanced Settings, the check-box setting for "Disable Cisco Extensions" now toggles whatever the setting was for "Auto-exclude LAN address" and the checkbox for "Auto-exclude LAN address" ignores any attempts to set it on it's own.

Note that the "Auto-exclude LAN address" setting is reversed from whatever it was previously (i.e., from the v2.2.1 setup) whenever the "Disable Cisco Extensions" is reversed -- i.e., depending upon the "Auto-exclude LAN address" setting inherited from v2.2.1, the "Auto-exclude LAN address" checkbox will either always be the same as the "Disable Cisco Extensions" setting or it will always be the opposite of the "Disable Cisco Extensions".

(Suggestion: "Affected Architecture" settings should be checkboxes, perhaps each paired with a "not tested" option)

This issue affects at least amd64 and i386.

Actions #1

Updated by Phillip Davis over 6 years ago

Actually the "Auto-exclude LAN address" setting is being displayed opposite to what is in the config. Every time you press save that opposite setting gets saved, then it displays the "opposite of the opposite"... so regardless of what you do with other settings on that page, "Auto-exclude LAN address" toggles its state every time you press save.
This fixes the toggling: https://github.com/pfsense/pfsense/pull/1624

Users of IPsec and this setting need to check and confirm if the way the resulting IPsec is implemented actually corresponds correctly to the on/off of this check box.

Actions #2

Updated by Kill Bill over 6 years ago

I am totally confused. So I applied this, checked the checkbox and the bypasslan connection got deleted.

Apr 20 08:21:01    charon: 09[CFG] deleted connection 'bypasslan'
Apr 20 08:21:01    charon: 09[CFG] received stroke: delete connection 'bypasslan'
Apr 20 08:21:01    ipsec_starter[43206]:
Apr 20 08:21:01    charon: 08[CFG] received stroke: unroute 'bypasslan'

@devs: Please stop using *no*variable names. Everywhere. This is not the only place in pfSense that uses this reversed logic that only makes things extremely confusing and difficult to understand.

Actions #3

Updated by Kill Bill over 6 years ago

Indeed confirmed. The GUI description is totally inverted to the actual behaviour. Stuff like noshuntlaninterfaces, nofoobar, noblehblah is extremely evil.

Actions #4

Updated by Ermal Luçi over 6 years ago

  • Status changed from New to Feedback

Merged pull request.

Actions #5

Updated by Phillip Davis over 6 years ago

  • % Done changed from 0 to 100
Actions #6

Updated by Ermal Luçi over 6 years ago

Actions #7

Updated by Kill Bill over 6 years ago

Errr... let me repeat this once again: this does the exact opposite of what's described in the GUI! When you enable the setting, the bypass gets disabled.

Actions #8

Updated by Chris Buechler over 6 years ago

  • Status changed from Feedback to Resolved
  • Target version set to 2.2.3
  • Affected Architecture added
  • Affected Architecture deleted (amd64)

last bit fixed under #4655

Actions

Also available in: Atom PDF