Bug #3499
closedMissing data validation for IPv4+IPv6 rule with IPv4 literal address
100%
Description
If you add a rule selected as "IPv4+IPv6", but the source or destination is an IPv4 literal, then it is accepted but the firewall ruleset breaks. "pfctl -sr" shows a completely empty ruleset. When you navigate to another page you do get a notification in the web browser:
There were error(s) loading the rules: /tmp/rules.debug:173: rule expands to no valid combination - The line in question reads [173]: pass in quick on $WAN reply-to ( em0 fe80::xxxx:xxff:fexx:xxxx ) inet6 proto tcp from any to 192.0.2.1 flags S/SA keep state label USER_RULE: test]
How to reproduce: add rule for
interface: WAN
TCP/IP version: IPv4+IPv6
protocol: TCP
source: any
destination: 192.0.2.1
Click "Apply changes", then after a few seconds click on the "pfsense" icon to go to dashboard to get the alert.
How this arose: I am moving towards IPv4+IPv6 for all rules, but in this case the host had only one address and I didn't bother to create a named alias for it. Instead I just entered its address directly into the rule.
Updated by Renato Botelho almost 11 years ago
- Target version set to 2.1.1
- Affected Version set to 2.1
Updated by Renato Botelho almost 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 6bb99c3fe0e5510c8c1962f082ef30bf0ab84a81.
Updated by Renato Botelho almost 11 years ago
Applied in changeset de9ac478b3a846cc4068d21c0cb5cf8f8097e22b.
Updated by Chris Buechler almost 11 years ago
- Status changed from Feedback to Resolved