diff options
author | Phil Davis <phil.davis@inf.org> | 2015-01-04 20:17:20 +0545 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-01-05 12:57:38 -0600 |
commit | 055bd1ee0c2afd941d0f91ba3641c927517b6f6b (patch) | |
tree | e7acd00602a94b3f3250ea7166e0fc1698504fca /etc | |
parent | 91a84a26c8c79ec28715992982c9273bdab2907c (diff) | |
download | pfsense-055bd1ee0c2afd941d0f91ba3641c927517b6f6b.zip pfsense-055bd1ee0c2afd941d0f91ba3641c927517b6f6b.tar.gz |
Allow IPv6 on loopback needs quick
The following block uses "quick" which causes that block to come into effect before the "pass in" here. The pass rule also needs to be "quick".
Problem noted by Andy Sayler on https://redmine.pfsense.org/issues/4074
Before this change, an attempt to manually do something local with IPv6 fails:
[2.2-RC][root@xxx]/root: ntpq -pn
ntpq: write to localhost failed: Operation not permitted
After this change, it works:
[2.2-RC][root@xxx]/root: ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*27.114.150.12 193.190.230.65 2 u 21 64 377 1424.66 -126.52 371.131
Note that there are other pass rules later for IPv6 necessary functions, loopback... that do not have "quick". Those are correct and help to allow various essential IPv6 stuff, but still let someone block it with user rules (which will have quick), in the case when IPv6 Allow is checked.
This one here is just for the special case of IPv6 Allow not set, and in this case this special IPv6 pass-block sequence needs to be done with "quick" so we can be sure it applies regardless of whatever other IPv6 might come later.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 06b99aa..216df08 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2747,8 +2747,8 @@ function filter_rules_generate() { if(!isset($config['system']['ipv6allow'])) { $ipfrules .= "# Allow IPv6 on loopback\n"; - $ipfrules .= "pass in {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label \"pass IPv6 loopback\"\n"; - $ipfrules .= "pass out {$log['pass']} on \$loopback inet6 all tracker {$increment_tracker($tracker)} label \"pass IPv6 loopback\"\n"; + $ipfrules .= "pass in {$log['pass']} quick on \$loopback inet6 all tracker {$increment_tracker($tracker)} label \"pass IPv6 loopback\"\n"; + $ipfrules .= "pass out {$log['pass']} quick on \$loopback inet6 all tracker {$increment_tracker($tracker)} label \"pass IPv6 loopback\"\n"; $ipfrules .= "# Block all IPv6\n"; $ipfrules .= "block in {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; $ipfrules .= "block out {$log['block']} quick inet6 all tracker {$increment_tracker($tracker)} label \"Block all IPv6\"\n"; |