Project

General

Profile

Actions

Bug #9231

closed

firewall_aliases_edit.php: pf keyword matching is not catching some problem cases

Added by Jim Pingle over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
12/27/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

When creating or editing an alias, input validation is performed against pf keywords to prevent them from being used as alias names. This works for most things, but if an interface does not have a <descr> tag then it can incorrectly allow an alias to be made which causes a ruleset error.

For example: LAN interface internally is <lan> but in pf it creates a macro named LAN (uppercase). Currently, it is possible to create an alias named LAN since it does not match the reserved keyword lan. pf will fail to load the rules due to LAN being used twice in different ways.

If the <descr> tag is present, it is checked in a case-insensitive way, which would otherwise prevent this.

Changing the pf keyword match to be case insensitive solves the problem.

Actions

Also available in: Atom PDF