Unresolvable port alias is omitted from rule rather than generating an error
GUI validation prevents this from happening, but if a port alias is missing from the firewall configuration, a rule using that alias is still included in the ruleset, but without the port. No errors are generated by the firewall.
The only way this can happen is if the user, against all advice, hand edits the configuration and accidentally omits or deletes the port alias.
That said, we toss out rules that have missing source/destination address aliases, so we should be consistent and toss out missing port alias rules the same way.
To me, I have a patch.
#2 Updated by Phillip Davis about 2 years ago
a) Add an alias and a rule that uses it
b) Backup config
c) Edit config, delete the alias but leave the rule in place
d) Restore the config
Outcome after system reboots:
a) Dashboard notice is given saying "Unresolvable destination port alias 'p999' for rule blah"
b) /tmp/rules.debug contains a comment about the problem rule, like:
- Unresolvable destination port alias 'p999' for rule 'blah' label "USER_RULE"
and the actual rule is omitted from the ruleset
#5 Updated by Phillip Davis about 2 years ago
Changed code works also, and better - it allows port ranges through :)
While testing, I also entered an empty alias, which also breaks the ruleset. That is a different "feature" to the one here, so I raised issue https://redmine.pfsense.org/issues/7428 to track that.