When configuring a port forward with access restriction enabled, leaving the “Restricted addresses” field empty results in the port forward not matching any traffic at all, effectively behaving as if the rule does not exist.
From a technical perspective, the rule is implemented with an saddr match against an empty set, which causes nftables to never match.
This behavior is confusing from a UX standpoint and likely unintended.
Steps to reproduce
- Create a port forward restricted from an empty address
Expected behavior
One of the following behaviors should be implemented consistently across frontend and backend:
-
No restriction applied if the field is empty
- If no addresses (or object) are specified, the restriction parameter should not be sent to the backend.
- The port forward should behave as unrestricted.
-
Validation enforced
- If “restricted access” is enabled, the address/object field must be mandatory.
- Prevent saving the rule if the list is empty.
-
Explicit “Do not restrict” option (preferred UX)
- Add a first radio option (enabled by default), e.g. “Do not restrict”.
- Rename label from “Restrict access from” to something clearer like “Port forward access”.
- Apply restrictions only when a restrictive option is explicitly selected.
Actual behavior
-
The UI allows enabling Restrict access from → Enter restricted addresses.
-
The Restricted addresses field is optional.
-
If the field is left empty:
- The backend applies a restriction anyway.
nftables evaluates the rule against an empty ipset.- No traffic ever matches.
- The port forward is effectively disabled without warning.
See also
https://mattermost.nethesis.it/nethesis/pl/8c7m7hun9ibw8y8bno1mf8cw3a
When configuring a port forward with access restriction enabled, leaving the “Restricted addresses” field empty results in the port forward not matching any traffic at all, effectively behaving as if the rule does not exist.
From a technical perspective, the rule is implemented with an saddr match against an empty set, which causes nftables to never match.
This behavior is confusing from a UX standpoint and likely unintended.
Steps to reproduce
Expected behavior
One of the following behaviors should be implemented consistently across frontend and backend:
No restriction applied if the field is empty
Validation enforced
Explicit “Do not restrict” option (preferred UX)
Actual behavior
The UI allows enabling Restrict access from → Enter restricted addresses.
The Restricted addresses field is optional.
If the field is left empty:
nftablesevaluates the rule against an empty ipset.See also
The term “Restricted addresses” is ambiguous.
The current UI requires opening the tooltip to understand the behavior.
https://mattermost.nethesis.it/nethesis/pl/8c7m7hun9ibw8y8bno1mf8cw3a