From 971df3c4bfae40a982f670ffbe932b7013faf9db Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sun, 14 Apr 2019 15:12:50 +0200 Subject: [PATCH] Filter, "no translation address with matching address family found" fix for https://github.com/opnsense/core/issues/2841 This might have side affects, stupid thing is that in some situations :network doesn't appear to yield this error (e.g. openvpn:network), although I'm also not 100% it does work when not raising any errors. Now we validate if there's a matching address for the ip protocol requested, otherwise it will disable the rule (and log in the /tmp/rules.debug file about it) --- .../mvc/app/library/OPNsense/Firewall/Rule.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php index d0e46aa6e..0c56769de 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php +++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php @@ -254,6 +254,17 @@ abstract class Rule $rule[$target] = "({$interfaces["{$matches[1]}"]['if']})"; } } elseif (!empty($interfaces[$network_name]['if'])) { + if ($rule['ipprotocol'] == "inet") { + $network_found = !empty($interfaces[$network_name]['ifconfig']['ipv4']); + } else { + $network_found = !empty($interfaces[$network_name]['ifconfig']['ipv6']); + } + if (!$network_found) { + $rule['disabled'] = true; + $this->log( + "network address type {$rule['ipprotocol']} not found on interface {$network_name}" + ); + } $rule[$target] = "({$interfaces[$network_name]['if']}:network)"; } elseif (Util::isIpAddress($rule[$tag]['network']) || Util::isSubnet($rule[$tag]['network'])) { $rule[$target] = $rule[$tag]['network'];