2.3 Firewall -> Aliases Hosts(s) subnet broken

sforsythe

In 2.3 when trying to add an Alias of type "Host(s)" , the text reads

"Enter as many hosts as desired. Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used. An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated."

However, if I enter in a form like 192.168.0.0/24 , I get a pop up message "Please match the requested format" when I click save.
The actual dropdown is greyed out at "32" and does not allow you to change value.

Using 192.168.0.1-192.168.0.254 does work.

As a side note, if entering an alias for a 'subnet' … is it possible to have the 'values' shown as 192.168.0.0/24 vs listing out 254 ips ?

Shane

johnpoz

if you want aliases that are networks use the networking type for aliases

sforsythe

But if I make a "network" type, then I can not add to another alias that is host(s).

ie
Host Alias:      sam
Host Alias:      joe
Network Alias: dr_network

Host Alias:  trusted  (that includes sam, joe, dr_network ).

If indeed that is not the intended functionality, at the very least the text should be corrected, ie

" An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated"

johnpoz

huh?

Here is an alias that has a specific IP, a fqdn and a network in it..

sforsythe

That is an alias that has 3 hardcoded types

I want an alias that contains other aliases.

Try this, create 2 aliases:

1. type = host(s)
       name = sam
       ip = 192.168.1.22

2. type = network
       name = backup_net
       ip = 10.10.1.0/24

3. type = host(s)
       name = trusted
       ip = sam
       ip = backup_net

As you type "sa" , the autocomplete fills out sam
As you type "test" , the autocomplete never fills out

You can fully type in test and hit enter, and appear to save , but have to set up a test network to see if actually respecting the alias in the config even though did not appear to be a valid value according to the autocomplete

sforsythe

Ok, I was able to set up a test network and rules and it does work if you manually type it.

But still I believe it is a bug in the autocomplete functionality which I believe is giving me a list of all 'valid' aliases that I can enter (and the network one doesn't present) … that and the text in the type=host(s) should be changed if you in fact should not be able to enter a subnet.

phil.davis

That input field in 2.2.6 allowed "free text" to be entered. Then the validation code parsed and checked it, reporting any errors it found. The parsing automagically took apart lists of IP addresses, IP ranges, converting a (small) range into a list of individual addresses (for the hosts type case) etc. - like in the help text.

The parsing code is still all there, patiently waiting for any input like that. But now with "bootstrap" there is real-time validation being done in the front-end. So you can't actually input text in those formats.

If the front-end validation is changed to just allow "free text" input (or some interesting more complex repeating pattern), then the back-end validation can take over again.

phil.davis

Redmine issue https://redmine.pfsense.org/issues/6322
Pull request https://github.com/pfsense/pfsense/pull/2937

I tested a bunch of variations of entering network/CIDR and IP address ranges and the back-end code is still expanding them OK. Allowing the extended forms of input at the front-end (as per the pull request) is all that is needed.

benofishal

@sforsythe:

Ok, I was able to set up a test network and rules and it does work if you manually type it.

But still I believe it is a bug in the autocomplete functionality which I believe is giving me a list of all 'valid' aliases that I can enter (and the network one doesn't present) … that and the text in the type=host(s) should be changed if you in fact should not be able to enter a subnet.

I am seeing the same issue, if I create a new alias with type Host, when I type an existing alias the autofill only shows Host aliases. If I were to choose alias type network the autofill will only show network aliases. If we want to create a group alias of both existing host and network aliases the autofill is not useful. I am trusting above that manually typing a mixture of host and network aliases into a new network alias will still consider IPs for the child aliases in question.

Some clarification on this matter would be very much appreciated.

I second this is a bug that should be fixed.