Project

General

Profile

Actions

Bug #3499

closed

Missing data validation for IPv4+IPv6 rule with IPv4 literal address

Added by Brian Candler almost 11 years ago. Updated almost 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
03/03/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

If you add a rule selected as "IPv4+IPv6", but the source or destination is an IPv4 literal, then it is accepted but the firewall ruleset breaks. "pfctl -sr" shows a completely empty ruleset. When you navigate to another page you do get a notification in the web browser:

There were error(s) loading the rules: /tmp/rules.debug:173: rule expands to no valid combination - The line in question reads [173]: pass in quick on $WAN reply-to ( em0 fe80::xxxx:xxff:fexx:xxxx ) inet6 proto tcp from any to 192.0.2.1 flags S/SA keep state label USER_RULE: test]

How to reproduce: add rule for

interface: WAN
TCP/IP version: IPv4+IPv6
protocol: TCP
source: any
destination: 192.0.2.1

Click "Apply changes", then after a few seconds click on the "pfsense" icon to go to dashboard to get the alert.

How this arose: I am moving towards IPv4+IPv6 for all rules, but in this case the host had only one address and I didn't bother to create a named alias for it. Instead I just entered its address directly into the rule.

Actions #1

Updated by Brian Candler almost 11 years ago

Note: this is with pfsense 2.1

Actions #2

Updated by Renato Botelho almost 11 years ago

  • Target version set to 2.1.1
  • Affected Version set to 2.1
Actions #3

Updated by Renato Botelho almost 11 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Chris Buechler almost 11 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF