Do not bother with bogonsv6 if IPv6 allow is off

The rules already block all IPv6 when IPv6 allow is off, so it is a waste of 70,000+ table entries of V6 bogons. On small systems this matters, and I sometimes get errors loading rules with the default table entries limit even though I don't care for V6 stuff.

1 files changed, 11 insertions, 1 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index a4c1773..b56afac 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -326,6 +326,10 @@ function filter_configure_sync($delete_states_if_needed = true) {
 		}
 	}
 
+	# If allow IPv6 has been unchecked then we can remove any bogonsv6 table (if the table is not there, the kill is still fine).
+	if (!isset($config['system']['ipv6allow']))
+		$_grbg = exec("/sbin/pfctl -t bogonsv6 -T kill");
+
 	update_filter_reload_status(gettext("Starting up layer7 daemon"));
 	layer7_start_l7daemon();
 
@@ -557,7 +561,8 @@ function filter_generate_aliases() {
 	if (!file_exists("/etc/bogonsv6"))
 		@file_put_contents("/etc/bogonsv6", "");
 	$aliases .= "table <bogons> persist file \"/etc/bogons\"\n";
-	$aliases .= "table <bogonsv6> persist file \"/etc/bogonsv6\"\n";
+	if (isset($config['system']['ipv6allow']))
+		$aliases .= "table <bogonsv6> persist file \"/etc/bogonsv6\"\n";
 
 	$vpns_list = filter_get_vpns_list();
 	if($vpns_list)
@@ -2595,9 +2600,14 @@ EOD;
 # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
 # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
 block in $log quick on \${$oc['descr']} from <bogons> to any label "block bogon IPv4 networks from {$oc['descr']}"
+
+EOD;
+			if(isset($config['system']['ipv6allow'])) {
+				$ipfrules .= <<<EOD
 block in $log quick on \${$oc['descr']} from <bogonsv6> to any label "block bogon IPv6 networks from {$oc['descr']}"
 
 EOD;
+			}
 		}
 		$isbridged = false;
 		if(is_array($config['bridges']['bridged'])) {