Bug #7142
closed
IPv6: Floating rules on 6rd enabled WAN interfaces doesn't get bound to wan_stf
100%
Description
Found a bug in the handling of floating rules when they need to be applied to 6rd enabled interfaces (which are split into the physical interface and a wan_stf interface behind the scenes).
Tested on pfSense 2.3.2-RELEASE-p1 (amd64 full-install).
To get your bearings:
#System aliases
WAN = "{ igb1_vlan102 wan_stf }"
LAN = "{ igb0 }"
GUEST = "{ igb0_vlan10 }"
- Gateways
GWWAN_6RD = " route-to ( wan_stf 2a00:fd00:fff1:79c8:448:: ) "
The rule below is created via Floating rules and only attached/assigned to "WAN" interface:
: cat rules.debug | grep Testmonkey
pass in log quick on { igb1_vlan102 } reply-to ( wan_stf 2a00:fd00:fff1:79c8:448:: ) inet6 proto tcp from any to any port 9999 tracker 1484828905 flags S/SA keep state label "USER_RULE: Testmonkey"
Notice, that the rule behind the scenes is bound to my "physical" WAN interface, and not to the wan_stf interface. (And firewall logs show that traffic is being blocked when hitting the wan_stf interface).
The same rule, now put directly on "WAN" interface:
: cat rules.debug | grep Testmonkey
pass in log quick on $WAN reply-to ( wan_stf 2a00:fd00:fff1:79c8:448:: ) inet6 proto tcp from any to any port 9999 tracker 1484829068 flags S/SA keep state label "USER_RULE: Testmonkey-on-WAN"
This time the rule is correctly mapped to the underlying 6rd interface.
/Kewin
Updated by
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Kewin Christensen over 4 years ago
Viktor Gurov wrote:
Wow.. two 6rd fixes in two days, you're on fire mate :)
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Anonymous