Project

General

Profile

Actions

Bug #2363

closed

IPv6 default interface missing from firewall rule

Added by Johannes Ullrich over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
04/09/2012
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
All

Description

This is a bug introduced by last yesterday's update. Worked fine before that. (2.1-DEVELOPMENT (amd64)
built on Sun Apr 8 21:08:28 EDT 2012
FreeBSD 8.3-RELEASE)

The IPv6 version of the "let out anything from firewall host itself" rule did not include an interface name.

I managed to get the rules to load after commenting out these two lines from /etc/inc/filter.inc (lines 2574 and 2575)

  1. if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) # $ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']}/$pdlen to !{$ifcfg
    ['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n";

maybe the real fix is to use $ifcfg['ipv6'] vs. $stf? ($stf seems to be empty).

my host uses a statically configured "gif0" 6in4 interface, not an auto configured 6to4 interface. I am marking this as "urgent" as it renders the firewall useless in my case.

Actions #1

Updated by Seth Mos over 9 years ago

  • Status changed from New to Feedback

Apologies for the breakage, I removed a piece of logic and didn't have the oversight to see what it would do.

It's restored.
https://github.com/bsdperimeter/pfsense/commit/6e5d84ba22f252019e634152ca1a87d1b3d6dd74

Actions #2

Updated by Johannes Ullrich over 9 years ago

Thanks. just applied your patch manually to filter.inc, and it fixed the problem.

Actions #3

Updated by Seth Mos over 9 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF