Bug #7421
closed
Unresolvable port alias is omitted from rule rather than generating an error
100%
Description
GUI validation prevents this from happening, but if a port alias is missing from the firewall configuration, a rule using that alias is still included in the ruleset, but without the port. No errors are generated by the firewall.
The only way this can happen is if the user, against all advice, hand edits the configuration and accidentally omits or deletes the port alias.
That said, we toss out rules that have missing source/destination address aliases, so we should be consistent and toss out missing port alias rules the same way.
To me, I have a patch.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 224e1648174e4a27b7f091fe348a81c74bacf23e.
Updated by Phillip Davis over 7 years ago
a) Add an alias and a rule that uses it
b) Backup config
c) Edit config, delete the alias but leave the rule in place
d) Restore the config
Outcome after system reboots:
a) Dashboard notice is given saying "Unresolvable destination port alias 'p999' for rule blah"
b) /tmp/rules.debug contains a comment about the problem rule, like:
- Unresolvable destination port alias 'p999' for rule 'blah' label "USER_RULE"
and the actual rule is omitted from the ruleset
All good
Updated by Jim Pingle over 7 years ago
- Status changed from Feedback to Resolved
Great, thanks for testing!
Updated by Jim Pingle over 7 years ago
There was a problem with this code and validating port ranges. I pushed another fix that should cover that case as well.
Updated by Phillip Davis over 7 years ago
Changed code works also, and better - it allows port ranges through :)
While testing, I also entered an empty alias, which also breaks the ruleset. That is a different "feature" to the one here, so I raised issue https://redmine.pfsense.org/issues/7428 to track that.
Updated by Jim Pingle over 7 years ago
I'll close this out and check out the other ticket/PR shortly. Thanks!