firmware: `better' fix for IPv6 loopback allow; #271

`block quick' creates a chain-reaction that requires `pass quick' for loopback traffic, even though we have non-quick loopback pass rules below. If `quick' ought to be used, non-quick should be removed completely, but that is beyond the scope of this fix. For now, rather pass all IPv6 traffic on the looback device as opposed to passing all IPv6 traffic with an IPv6 loopback address.

firmware: `better' fix for IPv6 loopback allow; #271
`block quick' creates a chain-reaction that requires `pass quick' for loopback traffic, even though we have non-quick loopback pass rules below. If `quick' ought to be used, non-quick should be removed completely, but that is beyond the scope of this fix. For now, rather pass all IPv6 traffic on the looback device as opposed to passing all IPv6 traffic with an IPv6 loopback address.
a62931b4 · Franco Fichtner · 102443a3 · a62931b4
Commit a62931b4 authored Jul 30, 2015 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 3 deletions

filter.inc src/etc/inc/filter.inc +2 -3

No files found.
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -2611,9 +2611,8 @@ function filter_rules_generate()

 	if (!isset($config['system']['ipv6allow'])) {
 		$ipfrules .= "\n# Block all IPv6 except loopback traffic\n";
-		$ipfrules .= "pass quick inet6 from ::1 to ::1\n";
-		$ipfrules .= "block in {$log['block']} quick inet6 all  label \"Block all IPv6\"\n";
-		$ipfrules .= "block out {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
+		$ipfrules .= "pass {$log['pass']} quick on \$loopback inet6\n";
+		$ipfrules .= "block {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
 	}

 	$ipfrules .= <<<EOD