Project

General

Profile

Bug #6024

IPv6 IPs with leading or trailing : incorrectly considered valid

Added by Pi Ba over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
03/24/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

Firewall rules, ip validation allows incorrect ip.
Webgui shows a error while rules are loaded..

There were error(s) loading the rules: no IP address found for 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: - The line in question reads [5678]: @ 2016-03-24 20:10:28

History

#1 Updated by Jim Pingle over 3 years ago

What is the actual IP address entered in the GUI?
And what is the actual rule found in /tmp/rules.debug that is failing? (Try pfctl -f /tmp/rules.debug from the shell)

#2 Updated by Pi Ba over 3 years ago

Source and destination in webgui are both set to 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: please notice the last colon, its one to many. And should be rejected as a invalid ip.

The rule in rules.debug is this:

pass  in  quick  on $OPT1 inet6 proto tcp  from 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: port 65432 to 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: port 65432 tracker 1458757724 flags S/SA keep state  label "USER_RULE" 

Trying to load rules:
[2.3-BETA][root@pfSense.localdomain]/root: pfctl -f /tmp/rules.debug
no IP address found for 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF:
/tmp/rules.debug:188: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded

#3 Updated by Chris Buechler over 3 years ago

  • Subject changed from Firewall rules, ip validation allows incorrect ip. to IPv6 IPs with leading or trailing : incorrectly considered valid
  • Status changed from New to Confirmed
  • Affected Version changed from 2.3 to All

Net_IPv6::checkIPv6 returns true where the IP ends or begins in : in that case. It's always done that.

Reported upstream so hopefully it gets fixed in Net_IPv6.
https://pear.php.net/bugs/bug.php?id=21046

#4 Updated by Phillip Davis over 3 years ago

Proposed fix for PEAR library: https://github.com/pear/Net_IPv6/pull/14
Same fix to the pfSense copy: https://github.com/pfsense/pfsense/pull/2788

#5 Updated by Phillip Davis over 3 years ago

I also submitted a couple of other PRs to PEAR for:
a) Cleanup some comments (some of which are fixed in the pfSense version) and end-of-line crud: https://github.com/pear/Net_IPv6/pull/12
b) Submit a fix for SplitV64 that is in the pfSense code but not upstream: https://github.com/pear/Net_IPv6/pull/13

All of this will (if accepted) make the upstream PEAR version more similar to the pfSense version.

#6 Updated by Chris Buechler over 3 years ago

  • Status changed from Confirmed to Resolved
  • Target version set to 2.3

works, thanks Phil!

Also available in: Atom PDF