lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-13 00:07:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Firewall: prevent source/destination inversion when multiple nets are selected. closes https://github.com/opnsense/core/issues/8559

Browse Source
This commit is contained in:
Ad Schellevis 2025-04-22 20:37:56 +02:00
parent 9c50cbfcb8
commit bf14a0a2e3
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
View File

@ -92,6 +92,19 @@ class Filter extends BaseModel
}
}
if (strpos($rule->source_net, ',') !== false && $rule->source_not == '1') {
$messages->appendMessage(new Message(
gettext("Inverting sources is only allowed for single targets to avoid mis-interpretations"),
$rule->source_not->__reference
));
}
if (strpos($rule->destination_net, ',') !== false && $rule->destination_not == '1') {
$messages->appendMessage(new Message(
gettext("Inverting destinations is only allowed for single targets to avoid mis-interpretations"),
$rule->destination_net->__reference
));
}
// Additional source nat validations
if ($rule->target !== null) {
$target_is_addr = Util::isSubnet($rule->target) || Util::isIpAddress($rule->target);

6
src/www/firewall_rules_edit.php
View File

@ -316,6 +316,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
}
if (strpos($pconfig['src'], ',') > 0) {
if (!empty($pconfig['srcnot'])) {
$input_errors[] = gettext("Inverting sources is only allowed for single targets to avoid mis-interpretations");
}
foreach (explode(',', $pconfig['src']) as $tmp) {
if (!is_specialnet($tmp) && !is_alias($tmp)) {
$input_errors[] = sprintf(gettext("%s is not a valid source alias."), $tmp);
@ -325,6 +328,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = sprintf(gettext("%s is not a valid source IP address or alias."),$pconfig['src']);
}
if (strpos($pconfig['dst'], ',') > 0) {
if (!empty($pconfig['dstnot'])) {
$input_errors[] = gettext("Inverting destinations is only allowed for single targets to avoid mis-interpretations");
}
foreach (explode(',', $pconfig['dst']) as $tmp) {
if (!is_specialnet($tmp) && !is_alias($tmp)) {
$input_errors[] = sprintf(gettext("%s is not a valid destination alias."), $tmp);