Bug #6273
closed
gateway group will not accept "openvpn" as a group name
0%
Description
here's the error message
The following input errors were detected:
The gateway name must not contain invalid characters.by the way the gateway group name "ipsec"
Updated by Chris Buechler over 8 years ago
- Status changed from New to Not a Bug
- Affected Version deleted (
2.3)
It would be a bug if it did. Those cannot be used as a group name, as they're used internally.
Updated by david stievenard over 8 years ago
sorry I didn't finished my last sentence -> by the way the gateway group's name "ipsec" works
I understand but I don't agree, the "internals" shouldn't affect the names, comments a user want to input.
If this is a gateway group that I configured for openvpn, the logical name for that gateway group should be "openvpn" isn't it ?
I guess they are bugs that are important then this one.
I suggest a workaround : change the error message into "You can't use this name because it's used internally" instead of "The gateway name must not contain invalid characters"
Updated by Phillip Davis over 8 years ago
The validation is actually done by calling is_validaliasname() and the main criteria is at:
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/util.inc#L1076if (in_array($name, $reserved, true) || getservbyname($name, "tcp") || getservbyname($name, "udp") || getprotobyname($name))
The reserved words are just "port" and "pass".
getprotobyname() is a PHP function - that effectively prohibits using "tcp", "udp", "ip", "icmp"... as a name.
getservbyname() is a PHP function that checks the (long) list of well-known service names to see if it is known - known ones are not allowed by this validation. So that prohibits "openvpn", and all the other names like "echo", "daytime", "qotd", "http", "www"...
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
I am not sure why those names are bad/unusable in this context. But I guess prohibiting them does not really hurt - you just add some string of your own to the names (e.g. openvpnGWG, wwwGWG) to generate something that is allowed. Prohibiting them would minimize confusion for humans looking through the resulting rule set - no need to wonder if a reference to "openvpn" is to the GWGof that name, or the well-known port.
So maybe it just needs the error message given in response to any is_validaliasname() checks to be a bit more detailed.
Updated by Phillip Davis over 8 years ago
Suggested improved and standardized messages in response to invalid alias, schedule, gateway and gateway group names is in pull request https://github.com/pfsense/pfsense/pull/2916