From b5bda2bda48d0d85b3e4f66cddf4af80c6063031 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 31 Jul 2022 13:08:16 +0200
Subject: [PATCH] firewall: also exclude reply-to and route-to

PR: https://forum.opnsense.org/index.php?topic=29554.0
---
 src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
index ded6144ef..79c749674 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
@@ -255,9 +255,11 @@ abstract class Rule
                         }
                     } elseif (!empty($interfaces[$network_name]['if'])) {
                         $rule[$target] = "({$interfaces[$network_name]['if']}:network)";
-                        if ($rule['ipprotocol'] == 'inet6' && $this instanceof FilterRule && $rule['interface'] == $network_name) {
-                            /* historically pf(4) excludes link-local on :network to avoid anti-spoof overlap */
-                            $rule[$target] .= ',fe80::/10';
+                        if ($rule['ipprotocol'] == 'inet6' && $rule['interface'] == $network_name) {
+                            if ($this instanceof FilterRule && empty($rule['gateway']) && empty($rule['reply'])) {
+                                /* historically pf(4) excludes link-local on :network to avoid anti-spoof overlap */
+                                $rule[$target] .= ',fe80::/10';
+                            }
                         }
                     } elseif (Util::isIpAddress($rule[$tag]['network']) || Util::isSubnet($rule[$tag]['network'])) {
                         $rule[$target] = $rule[$tag]['network'];