diff options
| author | smos <seth.mos@dds.nl> | 2012-04-07 19:20:26 +0200 |
|---|---|---|
| committer | smos <seth.mos@dds.nl> | 2012-04-07 19:20:26 +0200 |
| commit | 5411c08460ff725440f82a908d10fcdebe6f7078 (patch) | |
| tree | c5257dd92d6454e6b526d331b09e3a4848843d40 | |
| parent | d48ed103b00fc6c645cc1a392f973b99246049b2 (diff) | |
| download | pfsense-5411c08460ff725440f82a908d10fcdebe6f7078.zip pfsense-5411c08460ff725440f82a908d10fcdebe6f7078.tar.gz | |
Add automatic firewall rules that allow traffic destined for a downstream delegated prefix.
The downstream router is the one to decide what to do with it. This can still be overridden by user rules, just like outbound traffic.
| -rw-r--r-- | etc/inc/filter.inc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index ada85ee..26406c3 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2721,6 +2721,12 @@ EOD; if(is_ipaddrv6($ifcfgipv6)) { $prefix = Net_IPv6::getNetmask($ifcfgipv6, $pdlen); $ipfrules .= "pass in quick on \${$oc['descr']} inet6 from $prefix/$pdlen to any keep state label \"Allow IPv6 on {$oc['descr']} to any\"\n"; + /* add rules on the WAN for traffic back in, let the downstream router + * figure out what to do with the traffic */ + $trackcfgipv6 = find_interface_ipv6(get_real_interface($trackifname)); + if(is_ipaddrv6($trackcfgipv6)) { + $ipfrules .= "pass in quick on \${$trackcfg['descr']} inet6 from any to $prefix/$pdlen to any keep state label \"Allow IPv6 in on {$trackcfg['descr']} to $prefix/$pdlen\"\n"; + } } } } |
