Project

General

Profile

Bug #7421

Unresolvable port alias is omitted from rule rather than generating an error

Added by Jim Pingle about 1 month ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Rules/NAT
Target version:
Start date:
03/23/2017
Due date:
% Done:

100%

Affected version:
All
Affected Architecture:
All

Description

GUI validation prevents this from happening, but if a port alias is missing from the firewall configuration, a rule using that alias is still included in the ruleset, but without the port. No errors are generated by the firewall.

The only way this can happen is if the user, against all advice, hand edits the configuration and accidentally omits or deletes the port alias.

That said, we toss out rules that have missing source/destination address aliases, so we should be consistent and toss out missing port alias rules the same way.

To me, I have a patch.

Associated revisions

Revision 224e1648
Added by Jim Pingle about 1 month ago

File a notice and omit rule(s) using a missing port alias. Fixes #7421

Revision 72040e44
Added by Jim Pingle about 1 month ago

File a notice and omit rule(s) using a missing port alias. Fixes #7421

Revision bf4440b4
Added by Jim Pingle about 1 month ago

File a notice and omit rule(s) using a missing port alias. Fixes #7421

Revision dd844c43
Added by Jim Pingle about 1 month ago

Fix handling of port ranges in this validation test. Ticket #7421

Revision 0034bbc1
Added by Jim Pingle about 1 month ago

Fix handling of port ranges in this validation test. Ticket #7421

Revision 70cd5c34
Added by Jim Pingle about 1 month ago

Fix handling of port ranges in this validation test. Ticket #7421

History

#1 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Phillip Davis about 1 month ago

Test:
a) Add an alias and a rule that uses it
b) Backup config
c) Edit config, delete the alias but leave the rule in place
d) Restore the config
Outcome after system reboots:
a) Dashboard notice is given saying "Unresolvable destination port alias 'p999' for rule blah"
b) /tmp/rules.debug contains a comment about the problem rule, like:
  1. Unresolvable destination port alias 'p999' for rule 'blah' label "USER_RULE"
    and the actual rule is omitted from the ruleset

All good

#3 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

Great, thanks for testing!

#4 Updated by Jim Pingle about 1 month ago

There was a problem with this code and validating port ranges. I pushed another fix that should cover that case as well.

#5 Updated by Phillip Davis about 1 month ago

Changed code works also, and better - it allows port ranges through :)

While testing, I also entered an empty alias, which also breaks the ruleset. That is a different "feature" to the one here, so I raised issue https://redmine.pfsense.org/issues/7428 to track that.

#6 Updated by Jim Pingle about 1 month ago

I'll close this out and check out the other ticket/PR shortly. Thanks!

Also available in: Atom PDF