Project

General

Profile

Actions

Bug #7142

closed

IPv6: Floating rules on 6rd enabled WAN interfaces doesn't get bound to wan_stf

Added by Kewin Christensen over 4 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Category:
Rules / NAT
Target version:
Start date:
01/19/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:
amd64

Description

Found a bug in the handling of floating rules when they need to be applied to 6rd enabled interfaces (which are split into the physical interface and a wan_stf interface behind the scenes).

Tested on pfSense 2.3.2-RELEASE-p1 (amd64 full-install).

To get your bearings:

#System aliases
WAN = "{ igb1_vlan102 wan_stf }"
LAN = "{ igb0 }"
GUEST = "{ igb0_vlan10 }"

  1. Gateways
    GWWAN_6RD = " route-to ( wan_stf 2a00:fd00:fff1:79c8:448:: ) "

The rule below is created via Floating rules and only attached/assigned to "WAN" interface:

: cat rules.debug | grep Testmonkey
pass in log quick on { igb1_vlan102 } reply-to ( wan_stf 2a00:fd00:fff1:79c8:448:: ) inet6 proto tcp from any to any port 9999 tracker 1484828905 flags S/SA keep state label "USER_RULE: Testmonkey"

Notice, that the rule behind the scenes is bound to my "physical" WAN interface, and not to the wan_stf interface. (And firewall logs show that traffic is being blocked when hitting the wan_stf interface).

The same rule, now put directly on "WAN" interface:

: cat rules.debug | grep Testmonkey
pass in log quick on $WAN reply-to ( wan_stf 2a00:fd00:fff1:79c8:448:: ) inet6 proto tcp from any to any port 9999 tracker 1484829068 flags S/SA keep state label "USER_RULE: Testmonkey-on-WAN"

This time the rule is correctly mapped to the underlying 6rd interface.

/Kewin

Actions #1

Updated by Greg Fox almost 3 years ago

This is still an issue.

Actions #2

Updated by Jim Pingle about 2 years ago

  • Category set to Rules / NAT
Actions #4

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions #5

Updated by Kewin Christensen over 1 year ago

Viktor Gurov wrote:

Fix:
https://github.com/pfsense/pfsense/pull/4341

Wow.. two 6rd fixes in two days, you're on fire mate :)

Actions #6

Updated by Renato Botelho over 1 year ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #7

Updated by Steve Beaver about 1 year ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF