Project

General

Profile

Actions
Copy link

Feature #16215

closed

Allow floating rules using the "match" action to match based on IP Options

Added by Marcos M 10 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Marcos M
Category:
Rules / NAT
Target version:
2.9.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.11
Release Notes:
Default

Description

Match rules now support matching traffic with "allow-opts":
https://cgit.freebsd.org/src/commit/?id=7e70d94acd68b3ac6b45f49d4ab7a0f7867c3ea7

Note that this is a "sticky" option meaning that "pass" rules inherit the "allow-opts" option from the "match" rule.

Related issues

Related to Feature #16068: Option to disable logging of packets blocked due to unmatched IP optionsResolvedMarcos M

Actions
Actions
Copy link
 #1

Updated by Marcos M 10 months ago

  • Related to Feature #16068: Option to disable logging of packets blocked due to unmatched IP options added
Actions
Copy link
 #2

Updated by Marcos M 10 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:12a7fdf854ec48b0d2679eda374ff366c513aaca.

Actions
Copy link
 #3

Updated by Georgiy Tyutyunnik 10 months ago

patch allows "match" rule creation with IP options enabled. resulting floating rule logs igmp traffic
tested on
25.07-DEVELOPMENT (amd64)
built on Thu May 29 19:08:00 UTC 2025
FreeBSD 15.0-CURRENT

Actions
Copy link
 #4

Updated by Georgiy Tyutyunnik 9 months ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #5

Updated by Jim Pingle 8 months ago

  • Plus Target Version changed from 25.07 to 25.11
Actions
Copy link
 #6

Updated by Marcos M 8 months ago

  • Description updated (diff)
Actions
Copy link
 #7

Updated by Jim Pingle 4 months ago

  • Subject changed from Allow matching on IP Options with firewall match rules to Allow floating rules using the "match" action to match based on IP Options
Actions
Copy link

Also available in: Atom PDF