On Thu, Dec 22, 2011 at 6:17 AM, Norman Golisz <[email protected]> wrote: > pfSense version in use: > 2.0.1-RELEASE (i386) > built on Mon Dec 12 18:24:17 EST 2011 > FreeBSD 8.1-RELEASE-p6 > > Problem description: > When creating a new NAT entry with Associated Filter Rule, the > generated packet filter rule lacks the destination port, though it's > present in the NAT entry. The redirection port is not explicitly > specified. In case one explicitly specifies a redirection port, the > filter rule contains the correct destination port. > Because pfSense creates rules without regard to existing ones, it is > possible to have duplicate filter rules of the form: > > pass on $wan_if inet proto tcp from any to $some_host > > Further, this behaviour thwarts the logic of Traffic Shaping as well. > Since there's no destination port in the filter rule, one cannot create > shaping rules based on this criterion, say, prioritise any traffic > coming from $wan_if destined for web services. > > Steps to reproduce: > Just create a new NAT entry with specified destination port and without > redirection port and check the generated filter rule. > > I pretty know how to master this manually, but this is not the point > here. I think this is a bug which needs to be corrected. The generated > filter rule should have either the destination or redirection port > inherited from the NAT entry, depending on what is present. > > Do you agree? >
That was missing input validation, as the target port is a required field, it can't be left blank. It does create a valid PF rule but we've always enforced that to be present, it regressed in 2_0. I fixed it. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
