Feature #11439
closed
IPv6 support in ``easyrule`` CLI script
0%
Description
https://forum.netgate.com/topic/160578/getting-errors-loading-rules-after-using-easyrule:
I recently tried to use easyrule to add a firewall rule to my SG1100 from the command line.
Easyrule itself didn't report an error, but since then I am getting rule expands to no valid combination errors, and the rule that's causing the problems is not visible in the GUI, so I can't delete it.
Specifically:
There were error(s) loading the rules: /tmp/rules.debug:180: rule expands to no valid combination The line in question reads [180]: pass in quick on $WAN reply-to ( mvneta0.4090 <router-ipv4-addr> ) inet proto tcp from any to <client-ipv6-addr>/128 tracker 1612037148 flags S/SA keep state label 'USER_RULE: Easy Rule: Passed from Firewall Log View'
I can see that this rule makes no sense because it mixes IPv4 and IPv6, but how can I get rid of it, /tmp/rules.debug is only a dump...
I eventually found the rule in /cf/conf/config.xml:
<rule>
<type>pass</type>
<interface>wan</interface>
<ipprotocol>inet</ipprotocol>
<descr><![CDATA[Easy Rule: Passed from Firewall Log View]]></descr>
<protocol>tcp</protocol>
<source>
<any></any>
</source>
<destination>
<address>{client-ipv6-addr}/128</address>
</destination>
<created>
<time>1612037148</time>
<username><![CDATA[Easy Rule]]></username>
</created>
<tracker>1612037148</tracker>
</rule>
The root account doesn't keep any history, so I don't know exactly which easyrule command I used, but as best I can recall, all I did was:
easyrule pass wan tcp any <ipv6-addr>
As far as I can tell, easyrule doesn't mention IPv6.
Updated by Viktor Gurov almost 4 years ago
Updated by Viktor Gurov over 3 years ago
- Status changed from New to Pull Request Review
Updated by Jim Pingle over 3 years ago
- Tracker changed from Bug to Feature
- Subject changed from easyrule doesn't mention IPv6 to IPv6 support in easyrule CLI script
- Target version set to CE-Next
- Affected Version deleted (
2.5.0)
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
- Target version changed from CE-Next to 2.6.0
- Plus Target Version set to 21.09
PR has been merged. Thanks!
Updated by Jim Pingle about 3 years ago
- Subject changed from IPv6 support in easyrule CLI script to IPv6 support in ``easyrule`` CLI script
Updating subject for release notes.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Danilo Zrenjanin about 3 years ago
- Status changed from Feedback to Resolved
Tested against:
2.6.0-DEVELOPMENT (amd64) built on Fri Nov 19 06:24:13 UTC 2021 FreeBSD 12.3-PRERELEASE
It works as expected. When I mixed IPv4 and IPv6, I got an error message:
The source IP address family has to match the family of the destination IP address.
When I used a valid easyrule e.g.,
easyrule pass wan tcp fc00:1234::5 fc00:aaaa::b 80
I got confirmation:
Successfully added pass rule!
And the rule was visible in the GUI too.
Ticket resolved.