Project

General

Profile

Actions

Bug #12440

open

zero-value prefix IPv6 addresses are mishandled.

Added by Steve Wheeler about 2 months ago. Updated 10 days ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
All

Description

Zero-value prefix IPv6 addresses on the type ::/96 are mishandled when used in pfSense firewall or NAT rules.

For example an address such as ::192.168.10.10 used in a NAT rule:

        <rule>
            <source>
                <any></any>
            </source>
            <destination>
                <address>::192.168.10.10</address>
                <port>45678</port>
            </destination>
            <ipprotocol>inet6</ipprotocol>
            <protocol>tcp</protocol>
            <target>::10:0001</target>
            <local-port>45678</local-port>
            <interface>wan</interface>
            <descr><![CDATA[v6 test]]></descr>
            <associated-rule-id>nat_614dcdfc0fb0d6.83146982</associated-rule-id>
            <created>
                <time>1632488956</time>
                <username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
            </created>
            <updated>
                <time>1633728663</time>
                <username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
            </updated>
        </rule>

Results in a generated pf rule:
rdr on vtnet0 inet6 proto tcp from any to ::1921681010 port 45678 -> ::10:0001

That is invalid and prevents the ruleset loading:

There were error(s) loading the rules: /tmp/rules.debug:79: could not parse host specification - The line in question reads [79]: rdr on vtnet0 inet6 proto tcp from any to ::1921681010 port 45678 -> ::10:0001
@ 2021-10-08 23:13:08

IPv6 addresses of that format appear to be deprecated though pf itself appears to be able to handle them.

Either the input validation should should reject zero prefix addresses or the ruleset should be created correctly to include them.

Actions #1

Updated by Viktor Gurov about 2 months ago

Steve Wheeler wrote:

IPv6 addresses of that format appear to be deprecated though pf itself appears to be able to handle them.

Either the input validation should should reject zero prefix addresses or the ruleset should be created correctly to include them.

Firewall rules with zero prefix can be used with dynamic delegated prefix, see #6626

Actions #2

Updated by Viktor Gurov 12 days ago

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/469

example:
fw rule on IPv6 interface with fc00:88::99 address for ::192.168.10.10 dst address:

pass  in  quick  on $LAN inet6 proto tcp  from any to fc00:88::c0a8:a0a port 636 tracker 1637420076 flags S/SA keep state  label "USER_RULE" 

Actions #3

Updated by Jim Pingle 10 days ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
Actions

Also available in: Atom PDF