Project

General

Profile

Bug #4772

L2TP + "Enable automatic outbound NAT for Reflection" + L2TP subnet overlapping + Port forwards can lead to a broken ruleset

Added by Jim Pingle almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules/NAT
Target version:
Start date:
06/17/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.2.x
Affected Architecture:
All

Description

If the L2TP subnet overlaps a subnet that contains a port forward target, and automatic outbound NAT for reflection is enabled, then an invalid ruleset can be generated:

From "pfctl -f /tmp/rules.debug":

no IP address found for l2tp
/tmp/rules.debug:129: could not parse host specification
no IP address found for l2tp
/tmp/rules.debug:137: could not parse host specification

From "grep -ni l2tp /tmp/rules.debug" (relevant lines only):

129:no nat on l2tp proto tcp from l2tp to $somewhere port $blah
137:no nat on l2tp proto tcp from l2tp to $somewhere port $blah2

In this context "l2tp" is not valid as a "from" specification.

Associated revisions

Revision 2e0397e0 (diff)
Added by Jim Pingle almost 4 years ago

Blacklist invalid "from" sources since they can be picked up accidentally and cause rule errors. Fixes #4772

Revision e932c350 (diff)
Added by Jim Pingle almost 4 years ago

Blacklist invalid "from" sources since they can be picked up accidentally and cause rule errors. Fixes #4772

History

#1 Updated by Jim Pingle almost 4 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#3 Updated by Chris Buechler almost 4 years ago

  • Status changed from Feedback to Resolved

works

Also available in: Atom PDF