Project

General

Profile

Bug #3656

"LAN network" in v6 rules doesn't work when assigning link-local address to LAN

Added by Chris Buechler about 5 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Low
Category:
Rules/NAT
Target version:
Start date:
05/15/2014
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.1-IPv6
Affected Architecture:

Description

If you configure a link-local address on an interface, that interface's "network" subnet fails being looked up. For instance, go to Interfaces>LAN, configure it for static IPv6 fe80::1:1/64 for instance, add a v6 rule specifying "LAN subnet" as the source, and you end up with:

# at the break! label "USER_RULE: Default allow LAN IPv6 to any rule" 

History

#1 Updated by Chris Buechler about 5 years ago

note for others who happen upon this, this really isn't a valid config. But there isn't any reason it shouldn't work.

#2 Updated by Jim Thompson almost 5 years ago

  • Assignee set to Renato Botelho

#3 Updated by Chris Buechler over 4 years ago

  • Status changed from New to Confirmed

still an issue on latest snapshot. the LAN rule in that scenario ends up as a comment with "at the break".

#4 Updated by Chris Buechler over 4 years ago

  • Priority changed from Normal to Low
  • Target version changed from 2.2 to 2.2.1
  • Affected Documentation 0 added

#5 Updated by Chris Buechler over 4 years ago

  • Target version changed from 2.2.1 to 2.2.2

#6 Updated by Paul K about 4 years ago

This also affects rules with "LAN Interface" not just "LAN Subnet" as source/destination. In order for the rules with "LAN Interface" to work get_interface_ipv6() would have to return link-local address, but that would most likely break quite a few other things. Since this is not really a valid config why not put validation on interface page that would prevent user from assigning fe80::/10 address.

#7 Updated by Chris Buechler about 4 years ago

  • Target version changed from 2.2.2 to 2.2.3

#8 Updated by Chris Buechler almost 4 years ago

  • Target version changed from 2.2.3 to 2.3

#9 Updated by Chris Buechler over 3 years ago

  • Status changed from Confirmed to Resolved
  • Assignee changed from Renato Botelho to Chris Buechler

Added input validation to work around this (and related issues Paul noted) since that's not a valid config anyway.

Put the wrong ticket # on the commit.
https://github.com/pfsense/pfsense/commit/352f808558feda0d3eecefbf150e47d88315a01c

Also available in: Atom PDF