11184 – DNAT host incorrectly rejected when last octet is 0

Bug 11184 - DNAT host incorrectly rejected when last octet is 0

Summary: DNAT host incorrectly rejected when last octet is 0

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	all All

Importance:	Will affect an average number of users Minor Usability
Assignee:	Alexander Marx
QA Contact:

URL:
Keywords:

Duplicates (1):	11128 (view as bug list)
Depends on:
Blocks:	FWBUGS
	Show dependency tree / graph

Reported:	2016-09-14 15:27 UTC by Craig Putnam
Modified:	2021-07-15 19:26 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
attachment-15129-0.html (2.40 KB, text/html) 2017-11-08 22:43 UTC, firewalker	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Craig Putnam 2016-09-14 15:27:06 UTC

Version:

IPFire 2.19 (x86_64) - core103

Bug:

DNAT validation rules incorrectly reject destination IPv4 addresses where the last octet is 0.

Steps to reproduce:

Define a LAN network 10.254.240.0/20. In the web UI, go to "Firewall", "Firewall Rules". Create a new rule using NAT, with the destination address of 10.254.241.0. The web UI reports the following error:

"You have to select a single host for DNAT. Groups or networks are not allowed."

Notes:

Ref forum post http://forum.ipfire.org/viewtopic.php?f=27&t=17189

One poster suggests that IPv4 addresses ending in 0 may cause compatibility issues with older IP stacks. While this may be true, it's not up to the firewall to reject valid addresses because of concerns about compatibility with ancient hardware. At worst, IPFire should issue a warning.

Comment 1 Arne.F 2016-09-14 16:05:37 UTC

*** Bug 11128 has been marked as a duplicate of this bug. ***

Comment 2 Peter Müller 2017-11-08 18:09:49 UTC

Is this bug still valid? (Cleaning up the bug list... :-) )

Comment 3 firewalker 2017-11-08 22:43:51 UTC

Created attachment 543 [details]
attachment-15129-0.html

Hi!
I am sorry, I have no lab to test it. I will have one next week.
nest regards,
Roland
Am Mittwoch, den 08.11.2017, 17:09 +0000 schrieb bugzilla@ipfire.org:
> Peter Müller changed bug 11184 
> What	Removed	Added
> CC	  	peter.mueller@link38.eu            
> Comment # 2 on bug 11184 from Peter Müller
> Is this bug still valid? (Cleaning up the bug list... :-) )
> You are receiving this mail because:
> You are on the CC list for the bug.

Comment 4 Alexander Marx 2018-04-05 11:42:55 UTC

Well, as far as i understand DNAT, the sense is to redirect an incoming request to a special target. 
A network is not a special target and i am not able to see a sense in redirecting a request to a network. ( Octet 0 is the network address if i am right) 

From my point of view this is not a bug.

Comment 5 Arne.F 2018-04-05 13:57:18 UTC

It is a bug. The code not check the network address it check if the last octet is zero. This check is wrong for hosts inside the network if the network is larger than /24.

See duplicate bug https://bugzilla.ipfire.org/show_bug.cgi?id=11128 for more details.

Comment 6 Stefan Schantl 2021-07-15 19:26:36 UTC

Bug has been fixed years ago with the following commit:

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=bbe8e009b824aef745c9ab9718dce9a1b557f5fc