Actions
Feature #11439
closed
IPv6 support in ``easyrule`` CLI script
Start date:
02/18/2021
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Description
https://forum.netgate.com/topic/160578/getting-errors-loading-rules-after-using-easyrule:
I recently tried to use easyrule to add a firewall rule to my SG1100 from the command line.
Easyrule itself didn't report an error, but since then I am getting rule expands to no valid combination errors, and the rule that's causing the problems is not visible in the GUI, so I can't delete it.
Specifically:
There were error(s) loading the rules: /tmp/rules.debug:180: rule expands to no valid combination The line in question reads [180]: pass in quick on $WAN reply-to ( mvneta0.4090 <router-ipv4-addr> ) inet proto tcp from any to <client-ipv6-addr>/128 tracker 1612037148 flags S/SA keep state label 'USER_RULE: Easy Rule: Passed from Firewall Log View'
I can see that this rule makes no sense because it mixes IPv4 and IPv6, but how can I get rid of it, /tmp/rules.debug is only a dump...
I eventually found the rule in /cf/conf/config.xml:
<rule>
<type>pass</type>
<interface>wan</interface>
<ipprotocol>inet</ipprotocol>
<descr><![CDATA[Easy Rule: Passed from Firewall Log View]]></descr>
<protocol>tcp</protocol>
<source>
<any></any>
</source>
<destination>
<address>{client-ipv6-addr}/128</address>
</destination>
<created>
<time>1612037148</time>
<username><![CDATA[Easy Rule]]></username>
</created>
<tracker>1612037148</tracker>
</rule>
The root account doesn't keep any history, so I don't know exactly which easyrule command I used, but as best I can recall, all I did was:
easyrule pass wan tcp any <ipv6-addr>
As far as I can tell, easyrule doesn't mention IPv6.
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by
Actions