firewall_aliases_edit.php: pf keyword matching is not catching some problem cases
When creating or editing an alias, input validation is performed against pf keywords to prevent them from being used as alias names. This works for most things, but if an interface does not have a
<descr> tag then it can incorrectly allow an alias to be made which causes a ruleset error.
For example: LAN interface internally is
<lan> but in pf it creates a macro named
LAN (uppercase). Currently, it is possible to create an alias named
LAN since it does not match the reserved keyword
lan. pf will fail to load the rules due to
LAN being used twice in different ways.
<descr> tag is present, it is checked in a case-insensitive way, which would otherwise prevent this.
Changing the pf keyword match to be case insensitive solves the problem.
#2 Updated by Danilo Zrenjanin 3 months ago
I replicated the issue on:
built on Thu Nov 29 14:06:34 EST 2018
1.I have erased description tag (on LAN interface) in config.xml
2.Reloaded config (rm /tmp/config.cache)
3.Created Alias [LAN]
4.got the following error
There were error(s) loading the rules: /tmp/rules.debug:35: syntax error - The line in question reads : scrub on $LAN all fragment reassemble.
Retested on CE latest snap:
built on Thu Jan 03 07:54:15 EST 2019
I performed the same steps as above and wasn't allowed to create [LAN] Alias at 3.step
The bug is fixed.