Project

General

Profile

Actions
Copy link

Bug #16194

open

IPv6 ICMP firewall log entries marked with protocol "Options" instead of ICMPv6

Added by Jim Pingle 4 months ago. Updated about 1 month ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
System Logs
Target version:
2.9.0
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
25.11
Release Notes:
Force Exclusion
Affected Version:
2.9.0
Affected Architecture:

Description

Firewall log entries for ICMPv6 packets are showing a value of "Options" in the Protocol column, but only on development snapshots (Plus 25.07, CE 2.9.0).

Plus 25.03 and CE 2.8.0 builds are not affected.

This may be something that changed in PF and possibly being misinterpreted by pflog/filterlog since that is what shows in the actual log.

Plus 25.07/CE 2.9.0 have this entry in filter.log:

filterlog[68725]: 8,,,1000000107,vtnet1,match,block,in,6,0x00,0x00000,1,Options,0,36,fe80::ae1a:a270:e35e:439b,ff02::16,HBH,RTALERT,0x0000,PADN,

A working log entry from Plus 25.03/2.8.0 looks like this:

filterlog[61925]: 6,,,1000000105,vtnet2,match,block,in,6,0x00,0x00000,1,ICMPv6,58,48,fe80::f847:aeff:fe06:1cbd,ff02::16,

Files

Download all files
clipboard-202505191333-f19mh.png (131 KB) clipboard-202505191333-f19mh.png Jim Pingle, 05/19/2025 05:33 PM
clipboard-202507071118-cesbl.png (90.5 KB) clipboard-202507071118-cesbl.png Jim Pingle, 07/07/2025 03:18 PM
Actions
Copy link
 #1

Updated by Jim Pingle 2 months ago

  • Plus Target Version changed from 25.07 to 25.11
Actions
Copy link
 #2

Updated by Marcos M 2 months ago

  • Status changed from New to Feedback

It's working correctly for me on pfSense-25.11.a.20250628.0006.

Actions
Copy link
 #3

Updated by Jim Pingle 2 months ago

This is still happening, but now I was able to reproduce it on 25.07 (was 25.03). It's not every ICMPv6 just certain types.

Raw log entry:

Jul  7 11:16:03 pmx-25-07 filterlog[88995]: 6,,,1000000105,vtnet2,match,block,in,6,0x00,0x00000,1,Options,0,36,fe80::xxxx:xxxx:xxxx:68b4,ff02::16,HBH,PADN,RTALERT,0x0000,

Firewall rule that produced the log:

@6 block drop in log inet6 all label "Default deny rule IPv6" ridentifier 1000000105

I have a packet capture of a packet which generates this log entry and can reproduce it on demand (happens when a macOS device boots on the segment, at a minimum):

Actions
Copy link
 #4

Updated by Jeff Earickson about 1 month ago

I am also seeing this on an 1100 after updating from 24.11 to 25.07 (released Aug 4). My /var/log/filterlog lines look like:

Aug 5 16:38:02 cleo filterlog: 247,,,1649447902,mvneta0.4092,match,block,in,6,0x00,0x00000,1,Options,0,36,fe80::417:952d:77be:4497,ff02::16,HBH,PADN,RTALERT,0x0000,

Rule(s) 1649447902 look like:

pfctl -sr | grep 1649447902
block drop in log quick on mvneta0.4092 inet all label "USER_RULE: OPT Reject (last rule)" label "id:1649447902" ridentifier 1649447902
block drop in log quick on mvneta0.4092 inet6 all label "USER_RULE: OPT Reject (last rule)" label "id:1649447902" ridentifier 1649447902

It is the last rule in the ruleset for the interface. I have seen the same behavior from an identical rule for LAN. I have tried toggling the "Allow IP Options" advanced setting for the rule on and off -- no change.

Like Jim Pingle, I have a house full of Apple devices: two Macs and two Iphones. Booting up a Mac will produce a burst of these logs.

Actions
Copy link

Also available in: Atom PDF