os-bind: ACLs don't accept negative match #4435
Comments
3 tasks
jfieber
added a commit
to jfieber/plugins
that referenced
this issue
Feb 2, 2025
…4435) BindAddressMatchField and matching validator is derived from the standard NetworkField and validator. Modifications permit supporting negation (!) and referencing built in ACLs. At this time, it does not support referencing other user defined ACLs.
jfieber
added a commit
to jfieber/plugins
that referenced
this issue
Feb 2, 2025
Switch the UI for ACL definitions and ACL for filter-aaaa to use the BindAddressMatchField type. Because the introduction of negation makes the ACL entry order critical, this switches the user interface to a textbox, with one entry per line instead of the tokenized list. This interface allows much easier ordering of the entries. This change intorduces no model changes and thus no upgrade migrations are necessary. If ACLs are created with negation or references to the built-in ACLs, and the plugin is downgrated, the configuration templates will render correctly, but updating the configuration will require removing the negation and/or built-in ACL references to pass validation.
|
@Leseratte10 see if #4520 is going in the right direction for your expectations. There is still the issue of a configuration item referencing a list of ACLs doesn't have reasonable control over the order, which is important when introducing negation. Ultimately, a field type that fully matched an Address Match List model, including referencing other user defined ACLs would be most desirable, but is a bit ambitious for my first plugin contribution. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
In a normal bind configuration, anywhere where you can enter IP ranges (like in an ACL), you can use an exclamation mark to invert a match.
For example, you could do
10.0.0.0/8; !10.0.1.0/24to refer to everything inside 10.0.0.0/8 except for clients that are in 10.0.1.0/24.When I try to enter any network preceded by an exclamation mark in the ACL config, it refuses to let me save the ACL, stating "Please specify a valid network segment or IP address."
This bug also applies to other places where an ACL can be entered, like for the "ACL for filter-aaaa" entry
To Reproduce
Steps to reproduce the behavior:
10.0.0.0/8, !10.0.1.0/24for the network listExpected behavior
It should add the ACL.
Screenshots
Additional context
The plugin also doesn't allow the short syntax for IPv4 subnets (like "10/8" to refer to 10.0.0.0/8") which is supported by bind. Not a big issue, though, since you can just write the full network. But I haven't found a workaround to exclude single IPs or network ranges from an ACL like you could with an exclamation mark in the bind config.
(Sidenote, I'm also wondering why "ACL for filter-aaaa" requires a list of addresses while "Recursion", "Allow Transfer" and "Allow Query" are nice drop-downs to select one or many ACLs? Why isn't the filter-aaaa one a dropdown to select an ACL as well?)
Environment
OPNsense 24.7.11_2
os-bind 1.33_1
The text was updated successfully, but these errors were encountered: