Project

General

Profile

Actions

Bug #2451

closed

IPv6 rule: 'add network' becomes 'add single host'

Added by Charles Orus over 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Normal
Category:
Rules / NAT
Target version:
Start date:
05/24/2012
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1-IPv6
Affected Architecture:
i386

Description

I tried to add a reject rule for a range of IPv6 addresses:

"Reject TCP IPv6 to type network 2a00:1450:: CIDR /32"

After I have clicked 'save' it shows me the single alias. Not a network.

This is on 2.1-DEVELOPMENT (i386) built on Fri May 18 05:21:05 EDT 2012 FreeBSD 8.3-RELEASE-p1 NanoBSD.

Actions #1

Updated by Seth Mos over 9 years ago

can you include what ends up in the /tmp/rules.debug?

Actions #2

Updated by Charles Orus over 9 years ago

block return in quick on $WIRED inet6 from any to 2a00:1450:: label "USER_RULE: TmpReject YouTube"

Actions #3

Updated by Jim Pingle almost 9 years ago

  • Target version set to 2.1

This is probably due to an old check for the CIDR being /32 meaning single IP, but that test should not be applied on IPv6 IPs.
I can confirm it still happens on a current 2.1 snap.

Actions #4

Updated by Renato Botelho almost 9 years ago

  • Assignee set to Renato Botelho
Actions #5

Updated by Renato Botelho almost 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Jim Pingle almost 9 years ago

  • Status changed from Feedback to New
  • % Done changed from 100 to 50

It's partially fixed but not 100%

If I enter 2a00:1450:: in a firewall rule as a network with a mask of /32 (which is perfectly valid as a normal prefix length on IPv6), it does show 2a00:1450::/32 on the rule list now, but when you go back into the rule to edit again, the choice has moved from Network to Single Host or Alias.

Actions #7

Updated by Renato Botelho almost 9 years ago

I couldn't reproduce it here. When I back to edit rule it's set as network and bitmask 32.

Actions #8

Updated by Jim Pingle almost 9 years ago

OK it works correctly in the source box, but not the destination box.

Actions #9

Updated by Renato Botelho almost 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 50 to 100
Actions #10

Updated by Tobias Wigand almost 9 years ago

Maybe this change broke something, because I have created exactly the same rule on earlier snapshots without any problems:
Trying to add a Block rule for IPv6 ICMP traffic from "Single Host or Alias" fe80::1 always results in a Network Source with fe80::1/32 for me. I'm on the latest snapshot Fri Feb 15 15:43:49 EST 2013. Tried this with multiple browsers.

Actions #11

Updated by Jim Pingle almost 9 years ago

  • Status changed from Feedback to New
Actions #12

Updated by Renato Botelho almost 9 years ago

  • Status changed from New to Feedback
Actions #13

Updated by Tobias Wigand almost 9 years ago

The latest change fixed my problem, thank you!

Actions #14

Updated by Renato Botelho almost 9 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF