Project

General

Profile

Actions

Feature #11439

closed

IPv6 support in ``easyrule`` CLI script

Added by Viktor Gurov almost 4 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Rules / NAT
Target version:
Start date:
02/18/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

https://forum.netgate.com/topic/160578/getting-errors-loading-rules-after-using-easyrule:

I recently tried to use easyrule to add a firewall rule to my SG1100 from the command line.

Easyrule itself didn't report an error, but since then I am getting rule expands to no valid combination errors, and the rule that's causing the problems is not visible in the GUI, so I can't delete it.

Specifically:

There were error(s) loading the rules: /tmp/rules.debug:180: rule expands to no valid combination
The line in question reads [180]:
pass in quick on $WAN reply-to ( mvneta0.4090 <router-ipv4-addr> ) inet proto tcp from any to <client-ipv6-addr>/128 tracker 1612037148 flags S/SA keep state label 'USER_RULE: Easy Rule: Passed from Firewall Log View'

I can see that this rule makes no sense because it mixes IPv4 and IPv6, but how can I get rid of it, /tmp/rules.debug is only a dump...

I eventually found the rule in /cf/conf/config.xml:

<rule>                                                                      
        <type>pass</type>                                                   
        <interface>wan</interface>                                          
        <ipprotocol>inet</ipprotocol>                                       
        <descr><![CDATA[Easy Rule: Passed from Firewall Log View]]></descr> 
        <protocol>tcp</protocol>                                            
        <source>                                                            
                <any></any>                                                 
        </source>                                                           
        <destination>                                                       
                <address>{client-ipv6-addr}/128</address>                   
        </destination>                                                      
        <created>                                                           
                <time>1612037148</time>                                     
                <username><![CDATA[Easy Rule]]></username>                  
        </created>                                                          
        <tracker>1612037148</tracker>                                       
</rule>                                                                    

The root account doesn't keep any history, so I don't know exactly which easyrule command I used, but as best I can recall, all I did was:

easyrule pass wan tcp any <ipv6-addr>

As far as I can tell, easyrule doesn't mention IPv6.

Actions

Also available in: Atom PDF