Project

General

Profile

Actions

Bug #12440

closed

Zero-value prefix IPv6 addresses are mishandled

Added by Steve Wheeler 8 months ago. Updated 8 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
All

Description

Zero-value prefix IPv6 addresses on the type ::/96 are mishandled when used in pfSense firewall or NAT rules.

For example an address such as ::192.168.10.10 used in a NAT rule:

        <rule>
            <source>
                <any></any>
            </source>
            <destination>
                <address>::192.168.10.10</address>
                <port>45678</port>
            </destination>
            <ipprotocol>inet6</ipprotocol>
            <protocol>tcp</protocol>
            <target>::10:0001</target>
            <local-port>45678</local-port>
            <interface>wan</interface>
            <descr><![CDATA[v6 test]]></descr>
            <associated-rule-id>nat_614dcdfc0fb0d6.83146982</associated-rule-id>
            <created>
                <time>1632488956</time>
                <username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
            </created>
            <updated>
                <time>1633728663</time>
                <username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
            </updated>
        </rule>

Results in a generated pf rule:
rdr on vtnet0 inet6 proto tcp from any to ::1921681010 port 45678 -> ::10:0001

That is invalid and prevents the ruleset loading:

There were error(s) loading the rules: /tmp/rules.debug:79: could not parse host specification - The line in question reads [79]: rdr on vtnet0 inet6 proto tcp from any to ::1921681010 port 45678 -> ::10:0001
@ 2021-10-08 23:13:08

IPv6 addresses of that format appear to be deprecated though pf itself appears to be able to handle them.

Either the input validation should should reject zero prefix addresses or the ruleset should be created correctly to include them.

Actions #1

Updated by Viktor Gurov 7 months ago

Steve Wheeler wrote:

IPv6 addresses of that format appear to be deprecated though pf itself appears to be able to handle them.

Either the input validation should should reject zero prefix addresses or the ruleset should be created correctly to include them.

Firewall rules with zero prefix can be used with dynamic delegated prefix, see #6626

Actions #2

Updated by Viktor Gurov 6 months ago

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/469

example:
fw rule on IPv6 interface with fc00:88::99 address for ::192.168.10.10 dst address:

pass  in  quick  on $LAN inet6 proto tcp  from any to fc00:88::c0a8:a0a port 636 tracker 1637420076 flags S/SA keep state  label "USER_RULE" 

Actions #3

Updated by Jim Pingle 6 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
Actions #4

Updated by Jim Pingle 5 months ago

  • Target version changed from 2.6.0 to CE-Next
  • Plus Target Version changed from 22.01 to 22.05
Actions #5

Updated by Marcos Mendoza 2 months ago

Tested on 22.05.a.20220311.0600 with the patch.

The IP ::192.168.10.10 and ::ffff:192.168.10.10 is being converted to 0:c0a8:a0a which results in the error:

There were error(s) loading the rules: no IP address found for 0:c0a8:a0a - The line in question reads [0]: @ 2022-03-13 10:11:59

Actions #6

Updated by Viktor Gurov 2 months ago

Marcos Mendoza wrote in #note-5:

Tested on 22.05.a.20220311.0600 with the patch.

The IP ::192.168.10.10 and ::ffff:192.168.10.10 is being converted to 0:c0a8:a0a which results in the error:

There were error(s) loading the rules: no IP address found for 0:c0a8:a0a - The line in question reads [0]: @ 2022-03-13 10:11:59

Fixed, please retest the updated MR

Actions #7

Updated by Viktor Gurov about 2 months ago

  • Status changed from Pull Request Review to Feedback
  • Target version changed from CE-Next to 2.7.0
Actions #8

Updated by Jim Pingle about 2 months ago

  • Subject changed from zero-value prefix IPv6 addresses are mishandled. to Zero-value prefix IPv6 addresses are mishandled

Updating subject for release notes.

Actions #9

Updated by Viktor Gurov about 2 months ago

  • % Done changed from 0 to 100
Actions #10

Updated by Christopher Cope 8 days ago

  • Status changed from Feedback to Resolved

Testes and working as expected on

22.05-BETA (amd64)
built on Fri May 13 06:28:24 UTC 2022
FreeBSD 12.3-STABLE

Marking resolved.

Actions

Also available in: Atom PDF