Bug 11184

Summary: DNAT host incorrectly rejected when last octet is 0
Product: IPFire Reporter: Craig Putnam <itsupport>
Component: ---Assignee: Alexander Marx <alexander.marx>
Status: CLOSED FIXED QA Contact:
Severity: Minor Usability    
Priority: Will affect an average number of users CC: arne.fitzenreiter, peter.mueller, roland.schaffer, stefan.schantl
Version: 2   
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 12278    
Attachments: attachment-15129-0.html

Description Craig Putnam 2016-09-14 15:27:06 UTC
Version:

IPFire 2.19 (x86_64) - core103

Bug:

DNAT validation rules incorrectly reject destination IPv4 addresses where the last octet is 0.

Steps to reproduce:

Define a LAN network 10.254.240.0/20. In the web UI, go to "Firewall", "Firewall Rules". Create a new rule using NAT, with the destination address of 10.254.241.0. The web UI reports the following error:

"You have to select a single host for DNAT. Groups or networks are not allowed."

Notes:

Ref forum post http://forum.ipfire.org/viewtopic.php?f=27&t=17189

One poster suggests that IPv4 addresses ending in 0 may cause compatibility issues with older IP stacks. While this may be true, it's not up to the firewall to reject valid addresses because of concerns about compatibility with ancient hardware. At worst, IPFire should issue a warning.
Comment 1 Arne.F 2016-09-14 16:05:37 UTC
*** Bug 11128 has been marked as a duplicate of this bug. ***
Comment 2 Peter Müller 2017-11-08 18:09:49 UTC
Is this bug still valid? (Cleaning up the bug list... :-) )
Comment 3 firewalker 2017-11-08 22:43:51 UTC
Created attachment 543 [details]
attachment-15129-0.html

Hi!
I am sorry, I have no lab to test it. I will have one next week.
nest regards,
Roland
Am Mittwoch, den 08.11.2017, 17:09 +0000 schrieb bugzilla@ipfire.org:
> Peter Müller changed bug 11184 
> What	Removed	Added
> CC	  	peter.mueller@link38.eu            
> Comment # 2 on bug 11184 from Peter Müller
> Is this bug still valid? (Cleaning up the bug list... :-) )
> You are receiving this mail because:
> You are on the CC list for the bug.
Comment 4 Alexander Marx 2018-04-05 11:42:55 UTC
Well, as far as i understand DNAT, the sense is to redirect an incoming request to a special target. 
A network is not a special target and i am not able to see a sense in redirecting a request to a network. ( Octet 0 is the network address if i am right) 

From my point of view this is not a bug.
Comment 5 Arne.F 2018-04-05 13:57:18 UTC
It is a bug. The code not check the network address it check if the last octet is zero. This check is wrong for hosts inside the network if the network is larger than /24.

See duplicate bug https://bugzilla.ipfire.org/show_bug.cgi?id=11128 for more details.
Comment 6 Stefan Schantl 2021-07-15 19:26:36 UTC
Bug has been fixed years ago with the following commit:

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=bbe8e009b824aef745c9ab9718dce9a1b557f5fc