From 939f53eff2f08c2ea23e407846e6c4a08d1dcfb6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 17 Jul 2018 09:22:32 +0200
Subject: [PATCH] Firewall, exclude virtual ipv6 interfaces and change
 getInterfaceMapping() to generator type in the process

---
 src/etc/inc/filter.inc                                    | 3 +--
 src/etc/inc/filter.lib.inc                                | 2 +-
 src/etc/inc/plugins.inc.d/pf.inc                          | 2 +-
 src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php | 7 +++++++
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index 35da8d3d4..ce8af7acf 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -180,8 +180,7 @@ function filter_configure_sync($verbose = false, $flush_states = false)
     // initialize fw plugin object
     $fw = filter_core_get_initialized_plugin_system();
     filter_core_bootstrap($fw);
-    $cnfint = $fw->getInterfaceMapping();
-
+    $cnfint = iterator_to_array($fw->getInterfaceMapping());
     plugins_firewall($fw);
 
     if (isset($config['filter']['rule'])) {
diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index 16c5e1f88..d238f3f4a 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -489,7 +489,7 @@ function filter_core_rules_system($fw, $defaults)
         $defaults['pass']
     );
     // ipsec
-    if (!empty($fw->getInterfaceMapping()['enc0'])) {
+    if (!empty(iterator_to_array($fw->getInterfaceMapping())['enc0'])) {
         $fw->registerFilterRule(5,
           array('direction' => 'out', 'statetype' => 'keep', 'quick' => false, 'interface' => 'enc0',
                 'label' =>'IPsec internal host to host'),
diff --git a/src/etc/inc/plugins.inc.d/pf.inc b/src/etc/inc/plugins.inc.d/pf.inc
index 14f00e220..03458688f 100644
--- a/src/etc/inc/plugins.inc.d/pf.inc
+++ b/src/etc/inc/plugins.inc.d/pf.inc
@@ -125,7 +125,7 @@ function pf_firewall($fw)
     if (isset($config['filter']['bypassstaticroutes']) && isset($config['staticroutes']['route']) &&
         count($config['staticroutes']['route'])) {
         $ifdetails = legacy_interfaces_details();
-        $intf = $fw->getInterfaceMapping();
+        $intf = iterator_to_array($fw->getInterfaceMapping());
         $GatewaysList = return_gateways_array(false, true) + return_gateway_groups_array();
 
         foreach (get_staticroutes() as $route) {
diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
index d01de8e3f..68db16bc5 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@@ -87,6 +87,7 @@ class Plugin
                 $this->interfaceMapping[$key . '_stf']['ifconfig']['ipv6'] = $intf['ifconfig']['ipv6'];
                 $this->interfaceMapping[$key . '_stf']['gatewayv6'] = $intf['gatewayv6'];
                 $this->interfaceMapping[$key . '_stf']['descr'] = $intf['descr'];
+                $this->interfaceMapping[$key . '_stf']['is_IPv6_override'] = true;
                 // link original interface
                 $intf['IPv6_override'] = $key . '_stf';
             }
@@ -180,6 +181,12 @@ class Plugin
      */
     public function getInterfaceMapping()
     {
+        foreach ($this->interfaceMapping as $intfkey => $intf) {
+            // suppress virtual ipv6 interfaces
+            if (empty($intf['is_IPv6_override'])) {
+                yield $intfkey => $intf;
+            }
+        }
         return $this->interfaceMapping;
     }