diff options
author | jim-p <jimp@pfsense.org> | 2015-06-17 15:32:11 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2015-06-17 15:32:11 -0400 |
commit | 2e0397e05b6168dfcfbd04c9f3629a988744a8b2 (patch) | |
tree | b27b4ba5784d0e79ae0fc4255d4d50d2da7746da | |
parent | bc8adf7e03fb40617d165c4b2313c61abfdc1a4b (diff) | |
download | pfsense-2e0397e05b6168dfcfbd04c9f3629a988744a8b2.zip pfsense-2e0397e05b6168dfcfbd04c9f3629a988744a8b2.tar.gz |
Blacklist invalid "from" sources since they can be picked up accidentally and cause rule errors. Fixes #4772
-rw-r--r-- | etc/inc/filter.inc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f2d5683..149abb7 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1217,6 +1217,8 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco $subnet = $route['subnet']; $subnet_split = explode("/", $subnet); $subnet_if = $route['if']; + /* Blacklist invalid "from" sources since they can be picked up accidentally and cause rule errors. */ + $no_reflect_from = array("l2tp"); if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) { $ifsubnet_ip = ""; /* Find interface IP to use for NAT */ @@ -1226,7 +1228,7 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco break; } } - if(!empty($ifsubnet_ip)) { + if(!empty($ifsubnet_ip) && !in_array($subnet, $no_reflect_from)) { $subnets = array($subnet); /* Find static routes that also need to be referenced in the NAT rule */ foreach($route_table as $rtentry) { |