Bug #9231
closed
firewall_aliases_edit.php: pf keyword matching is not catching some problem cases
Added by Jim Pingle almost 6 years ago.
Updated over 5 years ago.
Affected Architecture:
All
Description
When creating or editing an alias, input validation is performed against pf keywords to prevent them from being used as alias names. This works for most things, but if an interface does not have a <descr> tag then it can incorrectly allow an alias to be made which causes a ruleset error.
For example: LAN interface internally is <lan> but in pf it creates a macro named LAN (uppercase). Currently, it is possible to create an alias named LAN since it does not match the reserved keyword lan. pf will fail to load the rules due to LAN being used twice in different ways.
If the <descr> tag is present, it is checked in a case-insensitive way, which would otherwise prevent this.
Changing the pf keyword match to be case insensitive solves the problem.
- Status changed from New to Feedback
- % Done changed from 0 to 100
I replicated the issue on:
SG-3100
2.4.4-RELEASE-p1 (arm)
built on Thu Nov 29 14:06:34 EST 2018
FreeBSD 11.2-RELEASE-p4
1.I have erased description tag (on LAN interface) in config.xml
2.Reloaded config (rm /tmp/config.cache)
3.Created Alias [LAN]
4.got the following error
Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:35: syntax error - The line in question reads [35]: scrub on $LAN all fragment reassemble.
Retested on CE latest snap:
2.4.5-DEVELOPMENT (amd64)
built on Thu Jan 03 07:54:15 EST 2019
FreeBSD 11.2-RELEASE-p6
I performed the same steps as above and wasn't allowed to create [LAN] Alias at 3.step
The bug is fixed.
- Status changed from Feedback to Resolved
- Target version changed from 48 to 2.5.0
- Target version changed from 2.5.0 to 2.4.4-p3
- Status changed from Resolved to Feedback
2.4.4-p3:
Could not create aliases with the same name as the pfSense interface name or the descriptive name of any existing interfaces.
The following input errors were detected:
An interface description with this name already exists.
The following input errors were detected:
Cannot use a reserved keyword as an alias name: opt1
An interface description with this name already exists.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by