Project

General

Profile

Actions

Bug #4772

closed

L2TP + "Enable automatic outbound NAT for Reflection" + L2TP subnet overlapping + Port forwards can lead to a broken ruleset

Added by Jim Pingle almost 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
06/17/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.x
Affected Architecture:
All

Description

If the L2TP subnet overlaps a subnet that contains a port forward target, and automatic outbound NAT for reflection is enabled, then an invalid ruleset can be generated:

From "pfctl -f /tmp/rules.debug":

no IP address found for l2tp
/tmp/rules.debug:129: could not parse host specification
no IP address found for l2tp
/tmp/rules.debug:137: could not parse host specification

From "grep -ni l2tp /tmp/rules.debug" (relevant lines only):

129:no nat on l2tp proto tcp from l2tp to $somewhere port $blah
137:no nat on l2tp proto tcp from l2tp to $somewhere port $blah2

In this context "l2tp" is not valid as a "from" specification.

Actions

Also available in: Atom PDF