diff options
| author | jim-p <jimp@pfsense.org> | 2015-06-17 15:33:24 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2015-06-17 15:33:24 -0400 |
| commit | e932c35017d0c5e35957e01c90dab57a0519f588 (patch) | |
| tree | 154a22713ee95cda80bb0197d80d6866c8968e1e /etc | |
| parent | a7c28e996c22394d77dad678e70640e4eeed852d (diff) | |
| download | pfsense-e932c35017d0c5e35957e01c90dab57a0519f588.zip pfsense-e932c35017d0c5e35957e01c90dab57a0519f588.tar.gz | |
Blacklist invalid "from" sources since they can be picked up accidentally and cause rule errors. Fixes #4772
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 910ea80..2dc5234 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1301,6 +1301,8 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco $subnet = $route['subnet']; $subnet_split = explode("/", $subnet); $subnet_if = $route['if']; + /* Blacklist invalid "from" sources since they can be picked up accidentally and cause rule errors. */ + $no_reflect_from = array("l2tp"); if (in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) { $ifsubnet_ip = ""; /* Find interface IP to use for NAT */ @@ -1310,7 +1312,7 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco break; } } - if (!empty($ifsubnet_ip)) { + if(!empty($ifsubnet_ip) && !in_array($subnet, $no_reflect_from)) { $subnets = array($subnet); /* Find static routes that also need to be referenced in the NAT rule */ foreach ($route_table as $rtentry) { |
