Port forward with empty “Restricted addresses” silently disables rule (empty saddr set) #1484
Description
When configuring a port forward with access restriction enabled, leaving the “Restricted addresses” field empty results in the port forward not matching any traffic at all, effectively behaving as if the rule does not exist.
From a technical perspective, the rule is implemented with an saddr match against an empty set, which causes nftables to never match.
This behavior is confusing from a UX standpoint and likely unintended.
Steps to reproduce
- Create a port forward restricted from an empty address
Expected behavior
One of the following behaviors should be implemented consistently across frontend and backend:
-
No restriction applied if the field is empty
- If no addresses (or object) are specified, the restriction parameter should not be sent to the backend.
- The port forward should behave as unrestricted.
-
Validation enforced
- If “restricted access” is enabled, the address/object field must be mandatory.
- Prevent saving the rule if the list is empty.
-
Explicit “Do not restrict” option (preferred UX)
- Add a first radio option (enabled by default), e.g. “Do not restrict”.
- Rename label from “Restrict access from” to something clearer like “Port forward access”.
- Apply restrictions only when a restrictive option is explicitly selected.
Actual behavior
-
The UI allows enabling Restrict access from → Enter restricted addresses.
-
The Restricted addresses field is optional.
-
If the field is left empty:
- The backend applies a restriction anyway.
nftablesevaluates the rule against an empty ipset.- No traffic ever matches.
- The port forward is effectively disabled without warning.
See also
-
The term “Restricted addresses” is ambiguous.
- It’s unclear whether these addresses are allowed or denied.
- A label like “Allowed addresses” may be clearer in this context.
-
The current UI requires opening the tooltip to understand the behavior.
https://mattermost.nethesis.it/nethesis/pl/8c7m7hun9ibw8y8bno1mf8cw3a