Project

General

Profile

Bug #8408

invalid rule written due to ipv6 ipalias being present

Added by Pi Ba about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules/NAT
Target version:
Start date:
03/31/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.3
Affected Architecture:
All

Description

The following rule is generated due to a IPv6 alias being present, this is supposed to fill a array of vips6 , but adds a mode item for the vips array. This causes the empty rule..

pass out  route-to ( em0 192.168.0.1 ) from  to !/ tracker 1000017468 keep state allow-opts label "let out anything from firewall host itself" 

Fix: https://github.com/pfsense/pfsense/pull/3924

History

#1 Updated by Jim Pingle about 1 year ago

  • Assignee set to Jim Pingle

I was finally able to replicate this and confirm the fix, PR merged, thanks!

#2 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Feedback

#3 Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved

Problematic test cluster has no errors on a snapshot containing the fix. Looks good here.

#4 Updated by Jim Pingle about 1 year ago

  • Target version changed from 2.4.4 to 2.4.3-p1

#5 Updated by Rudolf Mayerhofer about 1 year ago

I've started seeing this behaviour after upgrading the slave node of my cluster setup to 2.4.3_1
Thankfully the primary node is still on 2.4.3 and working just fine

Unfortunately this is likely not fully fixed!

#6 Updated by Eric Machabert about 1 year ago

After upgrade from 2.4.2_P1 to 2.4.3_P1, having a cluster configuration with a WAN interface holding an IPV4 CARP AND an IPV6 CARP the problem is back.

It looks like the code parsing the VIPs in filter.inc misunderstand the IPv6 CARP VIP as a ipV4 VIP so it enter the ipv4 loop and because " $gw = get_interface_gateway($ifdescr)" returns the IPV4 GW, then tries to generate the pass out rule on empty values...

I removed my IPV6 CARP on the WAN interface and there is no more problem.

#7 Updated by Jim Pingle about 1 year ago

Anyone else hitting what they believe is this bug is probably hitting #8518 instead. Put comments there.

Also available in: Atom PDF