Firewall, bogons & privates, add ipprotocol to allow _stf interfaces to choose, for https://github.com/opnsense/core/issues/2546

2026-03-15 09:04:39 +00:00 · 2018-07-17 08:57:03 +02:00 · 2018-07-17 08:57:03 +02:00 · c0fcc2c38d
commit c0fcc2c38d
parent 50fb5bcb0c
2 changed files with 10 additions and 6 deletions
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@ -307,27 +307,33 @@ function filter_core_rules_system($fw, $defaults)
    // block bogons and private nets
    $bogontmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologbogons']), 'disablereplyto' => 1);
    $privtmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologprivatenets']),
-      'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7',
+      'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16',
      'disablereplyto' => 1);
    foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) {
        $fw->registerFilterRule(5,
-          array('from' => "<bogons>", 'direction' => 'in', 'interface' => $intf,
+          array('from' => "<bogons>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',
            'label' => "block bogon IPv4 networks from ".$intfinfo['descr'],
            'disabled' => !isset($intfinfo['blockbogons'])),
          $bogontmpl
        );
        $fw->registerFilterRule(5,
-          array('from' => "<bogonsv6>", 'direction' => 'in', 'interface' => $intf,
+          array('from' => "<bogonsv6>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6',
            'disabled' => !isset($config['system']['ipv6allow']) || !isset($intfinfo['blockbogons']),
            'label' => "block bogon IPv6 networks from ".$intfinfo['descr']),
          $bogontmpl
        );
        $fw->registerFilterRule(5,
-          array('direction' => 'in', 'interface' => $intf,
+          array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',
            'label' => "Block private networks from ".$intfinfo['descr'],
            'disabled' => !isset($intfinfo['blockpriv'])),
          $privtmpl
        );
+        $fw->registerFilterRule(5,
+          array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6',
+            'label' => "Block private networks from ".$intfinfo['descr'],
+            'disablereplyto' => 1, 'from' => 'fc00::/7',
+            'disabled' => !isset($intfinfo['blockpriv']))
+        );
    }

    // interface configuration per type
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@ -85,8 +85,6 @@ class Plugin
                $this->interfaceMapping[$key . '_stf'] = array();
                $this->interfaceMapping[$key . '_stf']['if'] = $key . '_stf'; // TODO: rename to technical name
                $this->interfaceMapping[$key . '_stf']['ifconfig']['ipv6'] = $intf['ifconfig']['ipv6'];
-                $this->interfaceMapping[$key . '_stf']['blockbogons'] = isset($intf['blockbogons']);
-                $this->interfaceMapping[$key . '_stf']['blockpriv'] = isset($intf['blockpriv']);
                $this->interfaceMapping[$key . '_stf']['gatewayv6'] = $intf['gatewayv6'];
                $this->interfaceMapping[$key . '_stf']['descr'] = $intf['descr'];
                // link original interface