IPv6 IPs with leading or trailing : incorrectly considered valid
Firewall rules, ip validation allows incorrect ip.
Webgui shows a error while rules are loaded..
There were error(s) loading the rules: no IP address found for 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: - The line in question reads : @ 2016-03-24 20:10:28
#2 Updated by Pi Ba almost 4 years ago
Source and destination in webgui are both set to 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: please notice the last colon, its one to many. And should be rejected as a invalid ip.
The rule in rules.debug is this:
pass in quick on $OPT1 inet6 proto tcp from 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: port 65432 to 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: port 65432 tracker 1458757724 flags S/SA keep state label "USER_RULE"
Trying to load rules:
[2.3-BETA][root@pfSense.localdomain]/root: pfctl -f /tmp/rules.debug no IP address found for 1234:5678:90AB:CDEF:1234:5678:90AB:CDEF: /tmp/rules.debug:188: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded
#3 Updated by Chris Buechler almost 4 years ago
- Subject changed from Firewall rules, ip validation allows incorrect ip. to IPv6 IPs with leading or trailing : incorrectly considered valid
- Status changed from New to Confirmed
- Affected Version changed from 2.3 to All
Net_IPv6::checkIPv6 returns true where the IP ends or begins in : in that case. It's always done that.
Reported upstream so hopefully it gets fixed in Net_IPv6.
#5 Updated by Phillip Davis almost 4 years ago
I also submitted a couple of other PRs to PEAR for:
a) Cleanup some comments (some of which are fixed in the pfSense version) and end-of-line crud: https://github.com/pear/Net_IPv6/pull/12
b) Submit a fix for SplitV64 that is in the pfSense code but not upstream: https://github.com/pear/Net_IPv6/pull/13
All of this will (if accepted) make the upstream PEAR version more similar to the pfSense version.