Actions
Bug #4772
closedL2TP + "Enable automatic outbound NAT for Reflection" + L2TP subnet overlapping + Port forwards can lead to a broken ruleset
Start date:
06/17/2015
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.x
Affected Architecture:
All
Description
If the L2TP subnet overlaps a subnet that contains a port forward target, and automatic outbound NAT for reflection is enabled, then an invalid ruleset can be generated:
From "pfctl -f /tmp/rules.debug":
no IP address found for l2tp /tmp/rules.debug:129: could not parse host specification no IP address found for l2tp /tmp/rules.debug:137: could not parse host specification
From "grep -ni l2tp /tmp/rules.debug" (relevant lines only):
129:no nat on l2tp proto tcp from l2tp to $somewhere port $blah 137:no nat on l2tp proto tcp from l2tp to $somewhere port $blah2
In this context "l2tp" is not valid as a "from" specification.
Updated by Jim Pingle over 9 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 2e0397e05b6168dfcfbd04c9f3629a988744a8b2.
Updated by Jim Pingle over 9 years ago
Applied in changeset e932c35017d0c5e35957e01c90dab57a0519f588.
Actions