Actions
Bug #12440
closed
Zero-value prefix IPv6 addresses are mishandled
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
All
Description
Zero-value prefix IPv6 addresses on the type ::/96 are mishandled when used in pfSense firewall or NAT rules.
For example an address such as ::192.168.10.10 used in a NAT rule:
<rule>
<source>
<any></any>
</source>
<destination>
<address>::192.168.10.10</address>
<port>45678</port>
</destination>
<ipprotocol>inet6</ipprotocol>
<protocol>tcp</protocol>
<target>::10:0001</target>
<local-port>45678</local-port>
<interface>wan</interface>
<descr><![CDATA[v6 test]]></descr>
<associated-rule-id>nat_614dcdfc0fb0d6.83146982</associated-rule-id>
<created>
<time>1632488956</time>
<username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
</created>
<updated>
<time>1633728663</time>
<username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
</updated>
</rule>
Results in a generated pf rule:
rdr on vtnet0 inet6 proto tcp from any to ::1921681010 port 45678 -> ::10:0001
That is invalid and prevents the ruleset loading:
There were error(s) loading the rules: /tmp/rules.debug:79: could not parse host specification - The line in question reads [79]: rdr on vtnet0 inet6 proto tcp from any to ::1921681010 port 45678 -> ::10:0001 @ 2021-10-08 23:13:08
IPv6 addresses of that format appear to be deprecated though pf itself appears to be able to handle them.
Either the input validation should should reject zero prefix addresses or the ruleset should be created correctly to include them.
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by
Actions