summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/inc/filter.inc30
1 files changed, 15 insertions, 15 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 21dd2ee..768289e 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -2903,6 +2903,20 @@ EOD;
$bogontableinstalled = 0;
foreach ($FilterIflist as $on => $oc) {
+ $saved_tracker += 10;
+ $tracker = $saved_tracker;
+
+ if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) {
+ // The DHCPv6 client rules ***MUST BE ABOVE BOGONSV6!*** https://redmine.pfsense.org/issues/3395
+ $ipfrules .= <<<EOD
+# allow our DHCPv6 client out to the {$oc['descr']}
+pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
+pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
+pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
+
+EOD;
+ }
+
/* XXX: Not static but give a step of 1000 for each interface to at least be able to match rules. */
$saved_tracker += 1000;
$tracker = $saved_tracker;
@@ -2933,20 +2947,6 @@ EOD;
}
}
-
- $saved_tracker += 10;
- $tracker = $saved_tracker;
-
- if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) {
- $ipfrules .= <<<EOD
-# allow our DHCPv6 client out to the {$oc['descr']}
-pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
-pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
-pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
-
-EOD;
- }
-
$saved_tracker += 10;
$tracker = $saved_tracker;
@@ -3809,4 +3809,4 @@ function filter_get_antilockout_ports($wantarray = false) {
}
-?>
+?> \ No newline at end of file
OpenPOWER on IntegriCloud