Project

General

Profile

Actions

Bug #3656

closed

"LAN network" in v6 rules doesn't work when assigning link-local address to LAN

Added by Chris Buechler over 10 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Low
Category:
Rules / NAT
Target version:
Start date:
05/15/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1-IPv6
Affected Architecture:

Description

If you configure a link-local address on an interface, that interface's "network" subnet fails being looked up. For instance, go to Interfaces>LAN, configure it for static IPv6 fe80::1:1/64 for instance, add a v6 rule specifying "LAN subnet" as the source, and you end up with:

# at the break! label "USER_RULE: Default allow LAN IPv6 to any rule" 
Actions #1

Updated by Chris Buechler over 10 years ago

note for others who happen upon this, this really isn't a valid config. But there isn't any reason it shouldn't work.

Actions #2

Updated by Jim Thompson over 10 years ago

  • Assignee set to Renato Botelho
Actions #3

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Confirmed

still an issue on latest snapshot. the LAN rule in that scenario ends up as a comment with "at the break".

Actions #4

Updated by Chris Buechler about 10 years ago

  • Priority changed from Normal to Low
  • Target version changed from 2.2 to 2.2.1
Actions #5

Updated by Chris Buechler almost 10 years ago

  • Target version changed from 2.2.1 to 2.2.2
Actions #6

Updated by Paul K over 9 years ago

This also affects rules with "LAN Interface" not just "LAN Subnet" as source/destination. In order for the rules with "LAN Interface" to work get_interface_ipv6() would have to return link-local address, but that would most likely break quite a few other things. Since this is not really a valid config why not put validation on interface page that would prevent user from assigning fe80::/10 address.

Actions #7

Updated by Chris Buechler over 9 years ago

  • Target version changed from 2.2.2 to 2.2.3
Actions #8

Updated by Chris Buechler over 9 years ago

  • Target version changed from 2.2.3 to 2.3
Actions #9

Updated by Chris Buechler about 9 years ago

  • Status changed from Confirmed to Resolved
  • Assignee changed from Renato Botelho to Chris Buechler

Added input validation to work around this (and related issues Paul noted) since that's not a valid config anyway.

Put the wrong ticket # on the commit.
https://github.com/pfsense/pfsense/commit/352f808558feda0d3eecefbf150e47d88315a01c

Actions

Also available in: Atom PDF