Project

General

Profile

Actions

Bug #8408

closed

invalid rule written due to ipv6 ipalias being present

Added by Pi Ba over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
03/31/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.3
Affected Architecture:
All

Description

The following rule is generated due to a IPv6 alias being present, this is supposed to fill a array of vips6 , but adds a mode item for the vips array. This causes the empty rule..

pass out  route-to ( em0 192.168.0.1 ) from  to !/ tracker 1000017468 keep state allow-opts label "let out anything from firewall host itself" 

Fix: https://github.com/pfsense/pfsense/pull/3924

Actions #1

Updated by Jim Pingle over 6 years ago

  • Assignee set to Jim Pingle

I was finally able to replicate this and confirm the fix, PR merged, thanks!

Actions #2

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Feedback
Actions #3

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Resolved

Problematic test cluster has no errors on a snapshot containing the fix. Looks good here.

Actions #4

Updated by Jim Pingle over 6 years ago

  • Target version changed from 2.4.4 to 2.4.3-p1
Actions #5

Updated by Rudolf Mayerhofer over 6 years ago

I've started seeing this behaviour after upgrading the slave node of my cluster setup to 2.4.3_1
Thankfully the primary node is still on 2.4.3 and working just fine

Unfortunately this is likely not fully fixed!

Actions #6

Updated by Eric Machabert over 6 years ago

After upgrade from 2.4.2_P1 to 2.4.3_P1, having a cluster configuration with a WAN interface holding an IPV4 CARP AND an IPV6 CARP the problem is back.

It looks like the code parsing the VIPs in filter.inc misunderstand the IPv6 CARP VIP as a ipV4 VIP so it enter the ipv4 loop and because " $gw = get_interface_gateway($ifdescr)" returns the IPV4 GW, then tries to generate the pass out rule on empty values...

I removed my IPV6 CARP on the WAN interface and there is no more problem.

Actions #7

Updated by Jim Pingle over 6 years ago

Anyone else hitting what they believe is this bug is probably hitting #8518 instead. Put comments there.

Actions

Also available in: Atom PDF