Project

General

Profile

Actions

Bug #12440

closed

Zero-value prefix IPv6 addresses are mishandled

Added by Steve Wheeler about 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Web Interface
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
All

Description

Zero-value prefix IPv6 addresses on the type ::/96 are mishandled when used in pfSense firewall or NAT rules.

For example an address such as ::192.168.10.10 used in a NAT rule:

        <rule>
            <source>
                <any></any>
            </source>
            <destination>
                <address>::192.168.10.10</address>
                <port>45678</port>
            </destination>
            <ipprotocol>inet6</ipprotocol>
            <protocol>tcp</protocol>
            <target>::10:0001</target>
            <local-port>45678</local-port>
            <interface>wan</interface>
            <descr><![CDATA[v6 test]]></descr>
            <associated-rule-id>nat_614dcdfc0fb0d6.83146982</associated-rule-id>
            <created>
                <time>1632488956</time>
                <username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
            </created>
            <updated>
                <time>1633728663</time>
                <username><![CDATA[admin@172.21.16.5 (Local Database)]]></username>
            </updated>
        </rule>

Results in a generated pf rule:
rdr on vtnet0 inet6 proto tcp from any to ::1921681010 port 45678 -> ::10:0001

That is invalid and prevents the ruleset loading:

There were error(s) loading the rules: /tmp/rules.debug:79: could not parse host specification - The line in question reads [79]: rdr on vtnet0 inet6 proto tcp from any to ::1921681010 port 45678 -> ::10:0001
@ 2021-10-08 23:13:08

IPv6 addresses of that format appear to be deprecated though pf itself appears to be able to handle them.

Either the input validation should should reject zero prefix addresses or the ruleset should be created correctly to include them.

Actions

Also available in: Atom PDF