Project

General

Profile

Actions

Bug #5424

closed

outbound state not created for TCP IPv6 traffic matching route-to rule

Added by Chris Buechler about 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Operating System
Target version:
Start date:
11/11/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3
Affected Architecture:

Description

IPv6 TCP traffic passed in by a rule specifying route-to on the ingress interface doesn't get a state created on the egress interface.

To replicate, just edit the default LAN rule for IPv6 and specify a gateway. All TCP traffic from LAN will stop working. The SYN leaves correctly, SYN ACK comes back and gets blocked because of the missing state.

Actions #1

Updated by Luiz Souza about 9 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Fixed. There was a bug in FreeBSD that makes pf_test_rule() skip the state creation in this situation.

[[https://github.com/pfsense/FreeBSD-src/commit/7ed1aac3e1029b1f7ebe0d4153de5048f02db8c9]]

Actions #2

Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

works

Actions #3

Updated by Jim Pingle about 9 years ago

Yep, definitely fixed. I upgraded my edge firewall and put my v6 policy routing back and it's all working again.

Actions

Also available in: Atom PDF