diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-02-11 16:59:27 -0600 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-02-11 16:59:27 -0600 |
commit | 274a531ab714e4a9b901455e7c2a125a3b267ab2 (patch) | |
tree | 62a046802c698c936620c8f7f92b3b52a63dc697 | |
parent | eaa89cc6551f76e0dc47c1f24420a9ab1800f111 (diff) | |
download | pfsense-274a531ab714e4a9b901455e7c2a125a3b267ab2.zip pfsense-274a531ab714e4a9b901455e7c2a125a3b267ab2.tar.gz |
DHCPv6 client rules MUST come before bogons. Add a comment that hopefully
sticks out so this stops getting broken. Ticket #3395
-rw-r--r-- | etc/inc/filter.inc | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 21dd2ee..768289e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2903,6 +2903,20 @@ EOD; $bogontableinstalled = 0; foreach ($FilterIflist as $on => $oc) { + $saved_tracker += 10; + $tracker = $saved_tracker; + + if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) { + // The DHCPv6 client rules ***MUST BE ABOVE BOGONSV6!*** https://redmine.pfsense.org/issues/3395 + $ipfrules .= <<<EOD +# allow our DHCPv6 client out to the {$oc['descr']} +pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" +pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" +pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" + +EOD; + } + /* XXX: Not static but give a step of 1000 for each interface to at least be able to match rules. */ $saved_tracker += 1000; $tracker = $saved_tracker; @@ -2933,20 +2947,6 @@ EOD; } } - - $saved_tracker += 10; - $tracker = $saved_tracker; - - if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) { - $ipfrules .= <<<EOD -# allow our DHCPv6 client out to the {$oc['descr']} -pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" -pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" - -EOD; - } - $saved_tracker += 10; $tracker = $saved_tracker; @@ -3809,4 +3809,4 @@ function filter_get_antilockout_ports($wantarray = false) { } -?> +?>
\ No newline at end of file |