Project

General

Profile

Bug #6927

1 to 1 NAT allows entry of mixed IP addresses

Added by Phillip Davis 10 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules/NAT
Target version:
Start date:
11/13/2016
Due date:
% Done:

100%

Affected version:
2.3.2
Affected Architecture:

Description

When adding a 1:1 NAT entry it is possible to enter a mix of IPv4 and IPv6 addresses in the various External Internal and Destination IP boxes, which is not caught by the validation. Thus getting "error loading the rules", such as this example rubbish that I entered to get the message:

/rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:45: binat ip versions must match - The line in question reads [45]: binat on em0 from 1.2.3.4 to aaaa::4/31 -> bbbb::0

I guess it should make sure all the addresses are of one IP address family.

Associated revisions

Revision bcdf4534
Added by Phillip Davis 9 months ago

Fix #6927 1:1 NAT validate address family

Ensure that all the manually-entered addresses come from the same
address family - i.e. they are all either IPv4 or IPv6 addresses.

Revision 42db415e
Added by Phillip Davis 9 months ago

Fix #6927 1:1 NAT validate address family

Ensure that all the manually-entered addresses come from the same
address family - i.e. they are all either IPv4 or IPv6 addresses.
(cherry picked from commit bcdf453402a2f742b2656cd59602250f062896ee)

Revision f75f0ef7
Added by Phillip Davis 9 months ago

Fix #6927 1:1 NAT validate address family

Ensure that all the manually-entered addresses come from the same
address family - i.e. they are all either IPv4 or IPv6 addresses.
(cherry picked from commit bcdf453402a2f742b2656cd59602250f062896ee)

History

#1 Updated by Phillip Davis 10 months ago

At the moment it allows entry of IPv6 addresses. Is that correct? Is the 1:1 NAT feature supposed to work fine with IPv6?

#2 Updated by Jim Pingle 10 months ago

1:1 NAT does work for IPv6. It's similar to NPt, but for a single address -- NPt is really just a slightly different syntax for 1:1 NAT.

Sounds like the validation needs to ensure the address types match in this case.

#4 Updated by Phillip Davis 9 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#5 Updated by Phillip Davis 8 months ago

Target version could be set to 2.4.0 and then some independent person test.

#6 Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Resolved
  • Assignee set to Phillip Davis
  • Target version set to 2.4.0

Yes, this should have a 2.4 target. And it's already been tested, but I tested it again on a current snapshot and it's correctly validating.

#7 Updated by Jim Pingle 7 months ago

  • Target version changed from 2.4.0 to 2.3.3

Also available in: Atom PDF