Bug 11128 - NAT Target - host/network recognition buggy
Summary: NAT Target - host/network recognition buggy
Status: CLOSED DUPLICATE of bug 11184
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - - Unknown -
Assignee: Alexander Marx
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-23 20:24 UTC by firewalker
Modified: 2016-09-14 16:05 UTC (History)
1 user (show)

See Also:


Attachments
attachment-14668-0.html (2.74 KB, text/html)
2016-05-26 15:31 UTC, firewalker
Details
attachment-14759-0.html (2.47 KB, text/html)
2016-05-26 15:32 UTC, firewalker
Details
attachment-19953-0.html (2.49 KB, text/html)
2016-05-26 16:49 UTC, firewalker
Details
attachment-32174-0.html (4.08 KB, text/html)
2016-05-26 19:46 UTC, firewalker
Details

Note You need to log in before you can comment on or make changes to this bug.
Description firewalker 2016-05-23 20:24:24 UTC
Hallo!

BUG in "Firewall Regel (Destinateion-NAT / Port-Forward)

In section TARGET is a HOST-Field.
If the host 172.16.1.0/12 is entered, IPFire recognizes it as NETQWORK. Thats wrong.

The Network recognition must be made with an AND not with "is last byte=0?"

greets,
Roland
Comment 1 Michael Tremer 2016-05-26 00:29:09 UTC
This is *NOT* a bug.

You are allowed to type networks and hosts into the "destination" field.

Of course 172.16.1.0/12 is a network. The correct notation would actually be 172.16.0.0/12 for this one since that is the first address is this net.

Any other address up to 172.31.255.255 are indeed hosts, but those should have /32 as prefix then.

The /12 denotes that only the first 12 bytes should actually be taken into account of this address. A zero at the end does at no time mean that this is a subnet instead of a host. The subnet mask does that.
Comment 2 firewalker 2016-05-26 15:31:04 UTC
Created attachment 444 [details]
attachment-14668-0.html

Dear Michael!My Network IS 172.16.0.0/12
in this network I have a host, it is 172.16.1.0 :)))
172.16.0.0 is the Network-IP
172.31.255.255 is the broadcast
and everythin BETWEEN those 2 adresses are Hosts.
Greets,
Roland
On Mit, 2016-05-25 at 22:29 +0000, bugzilla@ipfire.org wrote:
> Michael Tremer changed bug 11128 
> What	Removed	Added
> Status	NEW	CLOSED
> Resolution	---	NOTABUG            
> Comment # 1 on bug 11128 from Michael Tremer
> This is *NOT* a bug.
> 
> You are allowed to type networks and hosts into the "destination"
> field.
> 
> Of course 172.16.1.0/12 is a network. The correct notation would
> actually be
> 172.16.0.0/12 for this one since that is the first address is this
> net.
> 
> Any other address up to 172.31.255.255 are indeed hosts, but those
> should have
> /32 as prefix then.
> 
> The /12 denotes that only the first 12 bytes should actually be taken
> into
> account of this address. A zero at the end does at no time mean that
> this is a
> subnet instead of a host. The subnet mask does that.
> You are receiving this mail because:
> You reported the bug.
Comment 3 firewalker 2016-05-26 15:32:44 UTC
Created attachment 445 [details]
attachment-14759-0.html

Ah, i forgot: it is REALLY(!) a bug, you just looked over it too
quickly ;)
On Mit, 2016-05-25 at 22:29 +0000, bugzilla@ipfire.org wrote:
> Michael Tremer changed bug 11128 
> What	Removed	Added
> Status	NEW	CLOSED
> Resolution	---	NOTABUG            
> Comment # 1 on bug 11128 from Michael Tremer
> This is *NOT* a bug.
> 
> You are allowed to type networks and hosts into the "destination"
> field.
> 
> Of course 172.16.1.0/12 is a network. The correct notation would
> actually be
> 172.16.0.0/12 for this one since that is the first address is this
> net.
> 
> Any other address up to 172.31.255.255 are indeed hosts, but those
> should have
> /32 as prefix then.
> 
> The /12 denotes that only the first 12 bytes should actually be taken
> into
> account of this address. A zero at the end does at no time mean that
> this is a
> subnet instead of a host. The subnet mask does that.
> You are receiving this mail because:
> You reported the bug.
Comment 4 Michael Tremer 2016-05-26 15:48:40 UTC
I have no idea what you are trying to tell me here.

The correct notation for a host is: 172.16.1.0/32

If you type 172.16.1.0/12 everything after the twelfth bit will be ignored. This is exactly the same then writing 172.16.0.0/12 or 172.16.31.255/12.

For your convenience, just leave the prefix when entering host and just use the address part of the IP address, because 172.16.1.0 is the address if your host; 172.16.1.0/12 isn't.
Comment 5 firewalker 2016-05-26 16:49:00 UTC
Created attachment 446 [details]
attachment-19953-0.html

Okay :)Ich glaube du bist aud Deutschland, oder?
Da tu ich mir mit deutsch leichter.
Also, anscheinend hamma ein Missverständnis:
mein Host heißt 172.16.1.0/32
Das Netz aus dem der Host ist heißt: 172.16.0.0/12
Und die IPFire jammert, weil sie glaubt 172.16.1.0 sei ein Netz (und
dieses rumjammern der IPFire ist der Bug!):
Fehlermeldung der IP-Fire beim anlegen einer Firewallregel mit DNAT:
"Für Destination-NAT muss ein einzelner Host als Ziel ausgewählt
werden. Gruppen oder Netzwerke sind nicht erlaubt"
Ich kann dich auch gerne anrufen, und es dir von mir aus auch mit
Teamviewer vorführen, wenn dir das was hilft.
Ich finde die IPFire super, ich bring die auch meinen Schülern bei (im
Netzwerk-Labor).
Also ich hab echt Respekt vor Deiner Arbeit!
Wenn ich dir also helfen kann den Bug zu fixen, ist mir das recht.
lg
Roland
On Don, 2016-05-26 at 13:48 +0000, bugzilla@ipfire.org wrote:
> Comment # 4 on bug 11128 from Michael Tremer
> I have no idea what you are trying to tell me here.
> 
> The correct notation for a host is: 172.16.1.0/32
> 
> If you type 172.16.1.0/12 everything after the twelfth bit will be
> ignored.
> This is exactly the same then writing 172.16.0.0/12 or
> 172.16.31.255/12.
> 
> For your convenience, just leave the prefix when entering host and
> just use the
> address part of the IP address, because 172.16.1.0 is the address if
> your host;
> 172.16.1.0/12 isn't.
> You are receiving this mail because:
> You reported the bug.
Comment 6 Michael Tremer 2016-05-26 19:39:09 UTC
Nope and I do not live in Germany... This bug tracker is using English any ways. Please stick with that.

I have no idea what you are trying to say here. Maybe add some screenshots or describe the steps that you are doing and where the issue is.

(In reply to firewalker from comment #5)
> Created attachment 446 [details]
> attachment-19953-0.html
> 
> Okay :)Ich glaube du bist aud Deutschland, oder?
> Da tu ich mir mit deutsch leichter.
> Also, anscheinend hamma ein Missverständnis:
> mein Host heißt 172.16.1.0/32
> Das Netz aus dem der Host ist heißt: 172.16.0.0/12
> Und die IPFire jammert, weil sie glaubt 172.16.1.0 sei ein Netz (und
> dieses rumjammern der IPFire ist der Bug!):
> Fehlermeldung der IP-Fire beim anlegen einer Firewallregel mit DNAT:
> "Für Destination-NAT muss ein einzelner Host als Ziel ausgewählt
> werden. Gruppen oder Netzwerke sind nicht erlaubt"
> Ich kann dich auch gerne anrufen, und es dir von mir aus auch mit
> Teamviewer vorführen, wenn dir das was hilft.
> Ich finde die IPFire super, ich bring die auch meinen Schülern bei (im
> Netzwerk-Labor).
> Also ich hab echt Respekt vor Deiner Arbeit!
> Wenn ich dir also helfen kann den Bug zu fixen, ist mir das recht.
> lg
> Roland
> On Don, 2016-05-26 at 13:48 +0000, bugzilla@ipfire.org wrote:
> > Comment # 4 on bug 11128 from Michael Tremer
> > I have no idea what you are trying to tell me here.
> > 
> > The correct notation for a host is: 172.16.1.0/32
> > 
> > If you type 172.16.1.0/12 everything after the twelfth bit will be
> > ignored.
> > This is exactly the same then writing 172.16.0.0/12 or
> > 172.16.31.255/12.
> > 
> > For your convenience, just leave the prefix when entering host and
> > just use the
> > address part of the IP address, because 172.16.1.0 is the address if
> > your host;
> > 172.16.1.0/12 isn't.
> > You are receiving this mail because:
> > You reported the bug.
Comment 7 firewalker 2016-05-26 19:46:46 UTC
Created attachment 447 [details]
attachment-32174-0.html

Okay, sorry.
Once again in english:
i guess there is a big misunderstanding.
1) i hav the network: 172.16.0.0/12
2) i have a host 172.16.1.0/32
3) when making a DNAT ipfire-rule (port forwarding) ipfire says:
"172.16.1.0 is a network not a host" and rejects the rule -> this is
the bug
If this is still not clear, I can call you by phone if this clears
things.
I really apreciate your work!
I do not only use IPFire but also teach it to my students! :)
Best regards,
Roland
On Don, 2016-05-26 at 17:39 +0000, bugzilla@ipfire.org wrote:
> Comment # 6 on bug 11128 from Michael Tremer
> Nope and I do not live in Germany... This bug tracker is using
> English any
> ways. Please stick with that.
> 
> I have no idea what you are trying to say here. Maybe add some
> screenshots or
> describe the steps that you are doing and where the issue is.
> 
> (In reply to firewalker from comment #5)
> > Created attachment 446 [details]
> > attachment-19953-0.html
> > 
> > Okay :)Ich glaube du bist aud Deutschland, oder?
> > Da tu ich mir mit deutsch leichter.
> > Also, anscheinend hamma ein Missverständnis:
> > mein Host heißt 172.16.1.0/32
> > Das Netz aus dem der Host ist heißt: 172.16.0.0/12
> > Und die IPFire jammert, weil sie glaubt 172.16.1.0 sei ein Netz
> (und
> > dieses rumjammern der IPFire ist der Bug!):
> > Fehlermeldung der IP-Fire beim anlegen einer Firewallregel mit
> DNAT:
> > "Für Destination-NAT muss ein einzelner Host als Ziel ausgewählt
> > werden. Gruppen oder Netzwerke sind nicht erlaubt"
> > Ich kann dich auch gerne anrufen, und es dir von mir aus auch mit
> > Teamviewer vorführen, wenn dir das was hilft.
> > Ich finde die IPFire super, ich bring die auch meinen Schülern bei
> (im
> > Netzwerk-Labor).
> > Also ich hab echt Respekt vor Deiner Arbeit!
> > Wenn ich dir also helfen kann den Bug zu fixen, ist mir das recht.
> > lg
> > Roland
> > On Don, 2016-05-26 at 13:48 +0000, bugzilla@ipfire.org wrote:
> > > Comment # 4 on bug 11128 from Michael Tremer
> > > I have no idea what you are trying to tell me here.
> > > 
> > > The correct notation for a host is: 172.16.1.0/32
> > > 
> > > If you type 172.16.1.0/12 everything after the twelfth bit will
> be
> > > ignored.
> > > This is exactly the same then writing 172.16.0.0/12 or
> > > 172.16.31.255/12.
> > > 
> > > For your convenience, just leave the prefix when entering host
> and
> > > just use the
> > > address part of the IP address, because 172.16.1.0 is the address
> if
> > > your host;
> > > 172.16.1.0/12 isn't.
> > > You are receiving this mail because:
> > > You reported the bug.
> You are receiving this mail because:
> You reported the bug.
Comment 8 Arne.F 2016-09-14 16:03:16 UTC
This is a bug!
If you have a larger net than /24 there are also valid ip's with the last octet is "0"
The buggy validation code checks the last octet is 0 or 255 which is only valid for /24 networks.
Comment 9 Arne.F 2016-09-14 16:05:37 UTC

*** This bug has been marked as a duplicate of bug 11184 ***