Bug #7421
closed
Unresolvable port alias is omitted from rule rather than generating an error
Added by Jim Pingle about 7 years ago.
Updated about 7 years ago.
Affected Architecture:
All
Description
GUI validation prevents this from happening, but if a port alias is missing from the firewall configuration, a rule using that alias is still included in the ruleset, but without the port. No errors are generated by the firewall.
The only way this can happen is if the user, against all advice, hand edits the configuration and accidentally omits or deletes the port alias.
That said, we toss out rules that have missing source/destination address aliases, so we should be consistent and toss out missing port alias rules the same way.
To me, I have a patch.
- Status changed from New to Feedback
- % Done changed from 0 to 100
Test:
a) Add an alias and a rule that uses it
b) Backup config
c) Edit config, delete the alias but leave the rule in place
d) Restore the config
Outcome after system reboots:
a) Dashboard notice is given saying "Unresolvable destination port alias 'p999' for rule blah"
b) /tmp/rules.debug contains a comment about the problem rule, like:
- Unresolvable destination port alias 'p999' for rule 'blah' label "USER_RULE"
and the actual rule is omitted from the ruleset
All good
- Status changed from Feedback to Resolved
Great, thanks for testing!
There was a problem with this code and validating port ranges. I pushed another fix that should cover that case as well.
Changed code works also, and better - it allows port ranges through :)
While testing, I also entered an empty alias, which also breaks the ruleset. That is a different "feature" to the one here, so I raised issue https://redmine.pfsense.org/issues/7428 to track that.
I'll close this out and check out the other ticket/PR shortly. Thanks!
Also available in: Atom
PDF
Updated by 
Updated by