summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorPhil Davis <phil.davis@inf.org>2015-03-14 20:24:25 +0545
committerRenato Botelho <garga@FreeBSD.org>2015-03-16 08:21:41 -0300
commit08b02994b1204a48f9283d2b431d32472ce51da5 (patch)
tree6564b0120323117740d7171191a3260789b0d385 /etc
parent06144727b0d97a73b0288d2efb620df9a1d51554 (diff)
downloadpfsense-08b02994b1204a48f9283d2b431d32472ce51da5.zip
pfsense-08b02994b1204a48f9283d2b431d32472ce51da5.tar.gz
Use subnet address in OPT net rules
Example: LAN IP 10.0.1.1/24 OPT1 IP 10.0.2.1/24 Rules with SRC or DST LANnet correctly have 10.0.0.0/24 (the subnet base address) in /tmp/rules.debug Rules with SRC or DST OPT1net have 10.0.2.1/24 (the OPT1 IP address with OPT1 net mask) in /tmp/rules.debug It still works (I think) because actually 10.0.2.1/24 and 10.0.2.0/24 interpreted as a subnet still describes the same set of IP addresses, but it looks odd, as reported by: https://forum.pfsense.org/index.php?topic=90096.msg498474#msg498474 Same issue with IPv6 for OPT1net rules. This fixes the rule generation to that OPT1net uses the base subnet address in the rule, in the same way that LANnet and WANnet does.
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/filter.inc20
1 files changed, 11 insertions, 9 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 194f8d8..23bce61 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -2236,12 +2236,13 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) {
if(strstr($rule[$target]['network'], "opt")) {
$optmatch = "";
$matches = "";
- if($rule['ipprotocol'] == "inet6") {
- if(preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) {
- $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ipv6'];
- if(!is_ipaddrv6($opt_ip))
+ if ($rule['ipprotocol'] == "inet6") {
+ if (preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) {
+ $opt_sa = $FilterIflist["opt{$optmatch[1]}"]['sav6'];
+ if (!is_ipaddrv6($opt_sa)) {
return "";
- $src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['snv6'];
+ }
+ $src = $opt_sa . "/" . $FilterIflist["opt{$optmatch[1]}"]['snv6'];
/* check for opt$NUMip here */
} else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) {
$src = $FilterIflist["opt{$matches[1]}"]['ipv6'];
@@ -2251,11 +2252,12 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) {
$src = " !{$src}";
}
} else {
- if(preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) {
- $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip'];
- if(!is_ipaddrv4($opt_ip))
+ if (preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) {
+ $opt_sa = $FilterIflist["opt{$optmatch[1]}"]['sa'];
+ if (!is_ipaddrv4($opt_sa)) {
return "";
- $src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['sn'];
+ }
+ $src = $opt_sa . "/" . $FilterIflist["opt{$optmatch[1]}"]['sn'];
/* check for opt$NUMip here */
} else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) {
$src = $FilterIflist["opt{$matches[1]}"]['ip'];
OpenPOWER on IntegriCloud