Bug #6927
closed
1 to 1 NAT allows entry of mixed IP addresses
100%
Description
When adding a 1:1 NAT entry it is possible to enter a mix of IPv4 and IPv6 addresses in the various External Internal and Destination IP boxes, which is not caught by the validation. Thus getting "error loading the rules", such as this example rubbish that I entered to get the message:
/rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:45: binat ip versions must match - The line in question reads [45]: binat on em0 from 1.2.3.4 to aaaa::4/31 -> bbbb::0
I guess it should make sure all the addresses are of one IP address family.
Updated by Phillip Davis over 7 years ago
At the moment it allows entry of IPv6 addresses. Is that correct? Is the 1:1 NAT feature supposed to work fine with IPv6?
Updated by Jim Pingle over 7 years ago
1:1 NAT does work for IPv6. It's similar to NPt, but for a single address -- NPt is really just a slightly different syntax for 1:1 NAT.
Sounds like the validation needs to ensure the address types match in this case.
Updated by Phillip Davis over 7 years ago
Pull Request https://github.com/pfsense/pfsense/pull/3258
Updated by Phillip Davis over 7 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset bcdf453402a2f742b2656cd59602250f062896ee.
Updated by Phillip Davis over 7 years ago
Target version could be set to 2.4.0 and then some independent person test.
Updated by Jim Pingle over 7 years ago
- Status changed from Feedback to Resolved
- Assignee set to Phillip Davis
- Target version set to 2.4.0
Yes, this should have a 2.4 target. And it's already been tested, but I tested it again on a current snapshot and it's correctly validating.
Updated by Jim Pingle about 7 years ago
- Target version changed from 2.4.0 to 2.3.3