Allow disabling the APIPA block via hidden config option. Very rarely necessary or desirable, but Amazon VPC VPNs use that as their tunnel subnet with BGP setups.

1 files changed, 8 insertions, 2 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 07350cc..fdc7e61 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -2814,13 +2814,19 @@ function filter_rules_generate() {
 
 	$saved_tracker += 100;
 	$tracker = $saved_tracker;
-
-	$ipfrules .= <<<EOD
+	
+	if (!isset($config['system']['no_apipa_block'])) {
+		$ipfrules .= <<<EOD
 # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
 # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
 # route-to can override that, causing problems such as in redmine #2073
 block in {$log['block']} quick from 169.254.0.0/16 to any tracker {$increment_tracker($tracker)} label "Block IPv4 link-local"
 block in {$log['block']} quick from any to 169.254.0.0/16 tracker {$increment_tracker($tracker)} label "Block IPv4 link-local"
+
+EOD;
+	}
+
+	$ipfrules .= <<<EOD
 #---------------------------------------------------------------------------
 # default deny rules
 #---------------------------------------------------------------------------