Project

General

Profile

Actions

Bug #7421

closed

Unresolvable port alias is omitted from rule rather than generating an error

Added by Jim Pingle over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Rules / NAT
Target version:
Start date:
03/23/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

GUI validation prevents this from happening, but if a port alias is missing from the firewall configuration, a rule using that alias is still included in the ruleset, but without the port. No errors are generated by the firewall.

The only way this can happen is if the user, against all advice, hand edits the configuration and accidentally omits or deletes the port alias.

That said, we toss out rules that have missing source/destination address aliases, so we should be consistent and toss out missing port alias rules the same way.

To me, I have a patch.

Actions #1

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Phillip Davis over 4 years ago

Test:
a) Add an alias and a rule that uses it
b) Backup config
c) Edit config, delete the alias but leave the rule in place
d) Restore the config
Outcome after system reboots:
a) Dashboard notice is given saying "Unresolvable destination port alias 'p999' for rule blah"
b) /tmp/rules.debug contains a comment about the problem rule, like:
  1. Unresolvable destination port alias 'p999' for rule 'blah' label "USER_RULE"
    and the actual rule is omitted from the ruleset

All good

Actions #3

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Resolved

Great, thanks for testing!

Actions #4

Updated by Jim Pingle over 4 years ago

There was a problem with this code and validating port ranges. I pushed another fix that should cover that case as well.

Actions #5

Updated by Phillip Davis over 4 years ago

Changed code works also, and better - it allows port ranges through :)

While testing, I also entered an empty alias, which also breaks the ruleset. That is a different "feature" to the one here, so I raised issue https://redmine.pfsense.org/issues/7428 to track that.

Actions #6

Updated by Jim Pingle over 4 years ago

I'll close this out and check out the other ticket/PR shortly. Thanks!

Actions

Also available in: Atom PDF