Migration: incorrect reflection_zone and IPsec settings in port forward rule

[gsanchietti]

Steps to reproduce

• On NethServer 7, create a port forward and enable the hairpin NAT
• Export the configuration and migrate it to NethSecurity
• Check the reflection_zone entries for OpenVPN and IPsec-related zones.

Expected behavior

• The reflection_zone entries should correctly map the zones:
  • openvpnrw should be replaced with rwopenvpn.
  • openvpntun should be replaced with openvpn.
  • ipsectun should be replaced with ipsec.

Actual behavior

• The reflection_zone settings in port forward rules incorrectly use openvpnrw, openvpntun, and ipsectun, leading to misconfiguration.

Required changes (diff):

--- firewall    2024-09-23 15:33:26.000000000 +0000
+++ /etc/config/firewall        2024-09-23 15:42:53.899041348 +0000
@@ -300,10 +300,10 @@
 config redirect 'portfw_rule_1'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.1.100'
        option dest_port '443'
-       list reflection_zone 'openvpnrw'
+       list reflection_zone 'rwopenvpn'

 config redirect 'portfw_rule_2'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '1194'
        option dest_ip '192.168.1.101'
        option dest_port '1194'
-       list reflection_zone 'openvpntun'
+       list reflection_zone 'openvpn'

 config redirect 'portfw_rule_3'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '500'
        option dest_ip '192.168.1.102'
        option dest_port '500'
-       list reflection_zone 'ipsectun'
+       list reflection_zone 'ipsec'

Components

NethSecurity Image: 8-23.05.4-ns.1.2.0

[gsanchietti]

In nethserver-testing: nethserver-firewall-migration-1.0.0-1.4.g651d7cd.ns7.noarch.rpm

Test case

• Check the issue is not reproducible
• Please not that rwopenvpn and openvpn zones have been replaced by *, which means any zone

[cotosso]

issue is not reproducible , reflection zones in port forwards are now consistent with zone names in nethsecurity8

config redirect 'ns_pf1_777'
        option src 'wan'
        option dest 'lan'
        option dest_ip '192.168.56.99'
        option proto 'tcp'
        option name 'pf1_777'
        option src_dport '777'
        option reflection '1'
        list reflection_zone 'lan'
        list reflection_zone 'blue'
        list reflection_zone 'rwopenvpn'
        list reflection_zone 'openvpn'
        list reflection_zone 'ipsec'
        option target 'DNAT'
        option log '0'
        option dest_port '777'
        option enabled '1'

[gsanchietti]

Released in nethserver-updates: nethserver-firewall-migration-1.0.1-1.ns7.noarch.rpm