Project

General

Profile

Actions
Copy link

Bug #9231

closed

firewall_aliases_edit.php: pf keyword matching is not catching some problem cases

Added by Jim Pingle over 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Rules / NAT
Target version:
2.4.4-p3
Start date:
12/27/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

When creating or editing an alias, input validation is performed against pf keywords to prevent them from being used as alias names. This works for most things, but if an interface does not have a <descr> tag then it can incorrectly allow an alias to be made which causes a ruleset error.

For example: LAN interface internally is <lan> but in pf it creates a macro named LAN (uppercase). Currently, it is possible to create an alias named LAN since it does not match the reserved keyword lan. pf will fail to load the rules due to LAN being used twice in different ways.

If the <descr> tag is present, it is checked in a case-insensitive way, which would otherwise prevent this.

Changing the pf keyword match to be case insensitive solves the problem.

Actions
Copy link
 #1

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Danilo Zrenjanin over 5 years ago

I replicated the issue on:

SG-3100

2.4.4-RELEASE-p1 (arm)
built on Thu Nov 29 14:06:34 EST 2018
FreeBSD 11.2-RELEASE-p4

1.I have erased description tag (on LAN interface) in config.xml
2.Reloaded config (rm /tmp/config.cache)
3.Created Alias [LAN]
4.got the following error
Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:35: syntax error - The line in question reads [35]: scrub on $LAN all fragment reassemble.

Retested on CE latest snap:

2.4.5-DEVELOPMENT (amd64)
built on Thu Jan 03 07:54:15 EST 2019
FreeBSD 11.2-RELEASE-p6

I performed the same steps as above and wasn't allowed to create [LAN] Alias at 3.step

The bug is fixed.

Actions
Copy link
 #3

Updated by Danilo Zrenjanin over 5 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #4

Updated by Jim Pingle about 5 years ago

  • Target version changed from 48 to 2.5.0
Actions
Copy link
 #5

Updated by Jim Pingle almost 5 years ago

  • Target version changed from 2.5.0 to 2.4.4-p3
Actions
Copy link
 #6

Updated by Jim Pingle almost 5 years ago

  • Status changed from Resolved to Feedback
Actions
Copy link
 #7

Updated by Chris Linstruth almost 5 years ago

2.4.4-p3:
Could not create aliases with the same name as the pfSense interface name or the descriptive name of any existing interfaces.

The following input errors were detected:

An interface description with this name already exists.

The following input errors were detected:

Cannot use a reserved keyword as an alias name: opt1
    An interface description with this name already exists.
Actions
Copy link
 #8

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF