Bug #8408
closed
invalid rule written due to ipv6 ipalias being present
100%
Description
The following rule is generated due to a IPv6 alias being present, this is supposed to fill a array of vips6 , but adds a mode item for the vips array. This causes the empty rule..
pass out route-to ( em0 192.168.0.1 ) from to !/ tracker 1000017468 keep state allow-opts label "let out anything from firewall host itself"
Updated by Jim Pingle over 6 years ago
- Assignee set to Jim Pingle
I was finally able to replicate this and confirm the fix, PR merged, thanks!
Updated by Jim Pingle over 6 years ago
- Status changed from Feedback to Resolved
Problematic test cluster has no errors on a snapshot containing the fix. Looks good here.
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.4 to 2.4.3-p1
Updated by Rudolf Mayerhofer over 6 years ago
I've started seeing this behaviour after upgrading the slave node of my cluster setup to 2.4.3_1
Thankfully the primary node is still on 2.4.3 and working just fine
Unfortunately this is likely not fully fixed!
Updated by Eric Machabert over 6 years ago
After upgrade from 2.4.2_P1 to 2.4.3_P1, having a cluster configuration with a WAN interface holding an IPV4 CARP AND an IPV6 CARP the problem is back.
It looks like the code parsing the VIPs in filter.inc misunderstand the IPv6 CARP VIP as a ipV4 VIP so it enter the ipv4 loop and because " $gw = get_interface_gateway($ifdescr)" returns the IPV4 GW, then tries to generate the pass out rule on empty values...
I removed my IPV6 CARP on the WAN interface and there is no more problem.
Updated by Jim Pingle over 6 years ago
Anyone else hitting what they believe is this bug is probably hitting #8518 instead. Put comments there.