From bf14a0a2e36a9118d414b20cf69bfa0c17c39656 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 22 Apr 2025 20:37:56 +0200
Subject: [PATCH] Firewall: prevent source/destination inversion when multiple
 nets are selected. closes https://github.com/opnsense/core/issues/8559

---
 .../mvc/app/models/OPNsense/Firewall/Filter.php     | 13 +++++++++++++
 src/www/firewall_rules_edit.php                     |  6 ++++++
 2 files changed, 19 insertions(+)

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index ccd5308c7..d7b48feb8 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -92,6 +92,19 @@ class Filter extends BaseModel
                         }
                     }
 
+                    if (strpos($rule->source_net, ',') !== false && $rule->source_not == '1') {
+                        $messages->appendMessage(new Message(
+                            gettext("Inverting sources is only allowed for single targets to avoid mis-interpretations"),
+                            $rule->source_not->__reference
+                        ));
+                    }
+                    if (strpos($rule->destination_net, ',') !== false && $rule->destination_not == '1') {
+                        $messages->appendMessage(new Message(
+                            gettext("Inverting destinations is only allowed for single targets to avoid mis-interpretations"),
+                            $rule->destination_net->__reference
+                        ));
+                    }
+
                     // Additional source nat validations
                     if ($rule->target !== null) {
                         $target_is_addr = Util::isSubnet($rule->target) || Util::isIpAddress($rule->target);
diff --git a/src/www/firewall_rules_edit.php b/src/www/firewall_rules_edit.php
index 582d62167..79337b705 100644
--- a/src/www/firewall_rules_edit.php
+++ b/src/www/firewall_rules_edit.php
@@ -316,6 +316,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         }
     }
     if (strpos($pconfig['src'], ',') > 0) {
+        if (!empty($pconfig['srcnot'])) {
+            $input_errors[] = gettext("Inverting sources is only allowed for single targets to avoid mis-interpretations");
+        }
         foreach (explode(',', $pconfig['src']) as $tmp) {
             if (!is_specialnet($tmp) && !is_alias($tmp)) {
                $input_errors[] = sprintf(gettext("%s is not a valid source alias."), $tmp);
@@ -325,6 +328,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $input_errors[] = sprintf(gettext("%s is not a valid source IP address or alias."),$pconfig['src']);
     }
     if (strpos($pconfig['dst'], ',') > 0) {
+      if (!empty($pconfig['dstnot'])) {
+          $input_errors[] = gettext("Inverting destinations is only allowed for single targets to avoid mis-interpretations");
+      }
       foreach (explode(',', $pconfig['dst']) as $tmp) {
           if (!is_specialnet($tmp) && !is_alias($tmp)) {
              $input_errors[] = sprintf(gettext("%s is not a valid destination alias."), $tmp);