Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port forward: UI allows targeting of an object with ip range, leading to incorrect rule application #1032

Open
gsanchietti opened this issue Jan 16, 2025 · 3 comments
Open

Port forward: UI allows targeting of an object with ip range, leading to incorrect rule application #1032

gsanchietti opened this issue Jan 16, 2025 · 3 comments
Labels
verified All test cases were verified successfully
Milestone
NethSecurity 8.5

Comments

@gsanchietti
Copy link
Member

gsanchietti commented Jan 16, 2025
edited
Loading

Description
The UI currently allows the creation or modification of port forward rules that target an object containing an IP range. This behavior results in the firewall rule incorrectly handling the dest_ip parameter, where only the IP range is considered. While the system does not crash, the rule is applied improperly, leading to unexpected behavior.

Steps to reproduce

  1. Create an object (obj1) with a single IP:

    config host 'ns_ee2225de'
    option name 'obj1'
    option family 'ipv4'
    list ipaddr '192.168.100.45'

  2. Create a port forward rule (pf1) that uses the object as the destination:

    config redirect 'ns_b2fd9097'
    option src 'wan'
    option target 'DNAT'
    option enabled '1'
    option log '0'
    option name 'pf1'
    option ns_dst 'objects/ns_ee2225de'
    list proto 'tcp'
    list proto 'udp'
    option reflection '0'
    option src_dport '4455'
    option dest_ip '192.168.100.45'

  3. Modify the obj1 file to include both an IP and an IP range:

    config host 'ns_ee2225de'
    option name 'obj1'
    option family 'ipv4'
    list ipaddr '192.168.100.45'
    list ipaddr '192.168.100.46-192.168.100.50'

  4. Observe the updated firewall and nftables configurations:

    • Firewall: 
      config redirect 'ns_b2fd9097'
    option src 'wan'
    option target 'DNAT'
    option enabled '1'
    option log '0'
    option name 'pf1'
    option ns_dst 'objects/ns_ee2225de'
    list proto 'tcp'
    list proto 'udp'
    option reflection '0'
    option src_dport '4455'
    option dest_ip '192.168.100.46-192.168.100.50'
    • Nftables: 
      chain dstnat_wan {
        meta nfproto ipv4 tcp dport 4455 counter packets 0 bytes 0 dnat ip to 192.168.100.46-192.168.100.50:4455 comment "!fw4: pf1"
        meta nfproto ipv4 udp dport 4455 counter packets 0 bytes 0 dnat ip to 192.168.100.46-192.168.100.50:4455 comment "!fw4: pf1"
}

UI:

Image

Expected behavior

  • The UI should prevent creating or modifying port forward rules that target an object containing an IP range, as this results in incorrect rule application.
  • The UI should prevent adding an IP range to an object used inside a port forward rule

Actual behavior

  • The UI allows targeting of an object containing an IP range for port forward rules.
  • Only the IP range is considered for the dest_ip configuration in the rules, leading to improper handling and potentially unintended behavior. This may cause issues in the application of the port forward rule.

Components
NethSecurity version: 8-23.05.5-ns.1.3.0
@github-project-automation github-project-automation bot moved this to ToDo 🕐 in NethSecurity Jan 16, 2025
@gsanchietti gsanchietti mentioned this issue Jan 16, 2025
Closed
@gsanchietti gsanchietti added this to the NethSecurity 8.5 milestone Jan 16, 2025
@stephdl stephdl self-assigned this Jan 17, 2025
@stephdl
Copy link
Contributor

stephdl commented Jan 17, 2025
edited
Loading

this issue should close #898

@gsanchietti gsanchietti mentioned this issue Jan 20, 2025
Merged
@stephdl stephdl mentioned this issue Jan 21, 2025
Merged
@stephdl stephdl moved this from ToDo 🕐 to In Progress 🛠 in NethSecurity Jan 23, 2025
stephdl added a commit to NethServer/nethsecurity-ui that referenced this issue Jan 28, 2025
@stephdl
feat(host set): add validation for IP range compatibility with port f…
5cab769 
…orwards (#496)

NethServer/nethsecurity#1032
@stephdl
Copy link
Contributor

stephdl commented Jan 28, 2025
edited
Loading

QA

Use this image

Create hosts objects with

  • range
  • IP
  • object nested to object

case 1
create port forward using this object, only objects with IP are available for destination and advanced/restricted access

case 2
once objects are set to portforward,

try to add a range to an object used by a portforward, it must be refused
try to add an object to an object used by a portforward, it must be refused

@stephdl stephdl removed their assignment Jan 28, 2025
@stephdl stephdl added the testing Packages are available from testing repositories label Jan 28, 2025
@stephdl stephdl moved this from In Progress 🛠 to Testing in NethSecurity Jan 28, 2025
Tbaile pushed a commit to NethServer/nethsecurity-ui that referenced this issue Jan 28, 2025
@stephdl @Tbaile
feat(host set): add validation for IP range compatibility with port f…
597ea3e 
…orwards (#496)

NethServer/nethsecurity#1032
@gsanchietti gsanchietti self-assigned this Jan 29, 2025
@gsanchietti
Copy link
Member Author

Both test cases have been verified.

@gsanchietti gsanchietti added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Jan 29, 2025
@gsanchietti gsanchietti removed their assignment Jan 29, 2025
@nethbot nethbot moved this from Testing to Verified in NethSecurity Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
NethSecurity
Status: Verified
Milestone
NethSecurity 8.5
Development

No branches or pull requests
2 participants
@gsanchietti @stephdl