From 2412d574f3b574e2c7398195f6ef8b28ff1d556a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Jul 2022 08:16:55 +0200
Subject: [PATCH] firewall: reduce impact of link-local inject to FilterRule on
 matching interface; closes #5907

Now we know why pf(4) does not want to fix this.  ;)
---
 src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
index fd9b54a10..ded6144ef 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
@@ -255,7 +255,7 @@ abstract class Rule
                         }
                     } elseif (!empty($interfaces[$network_name]['if'])) {
                         $rule[$target] = "({$interfaces[$network_name]['if']}:network)";
-                        if ($rule['ipprotocol'] == 'inet6') {
+                        if ($rule['ipprotocol'] == 'inet6' && $this instanceof FilterRule && $rule['interface'] == $network_name) {
                             /* historically pf(4) excludes link-local on :network to avoid anti-spoof overlap */
                             $rule[$target] .= ',fe80::/10';
                         }