From c0fcc2c38d31f3aa84434c882b1500d2041e4e2b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 17 Jul 2018 08:57:03 +0200
Subject: [PATCH] Firewall, bogons & privates, add ipprotocol to allow _stf
 interfaces to choose, for https://github.com/opnsense/core/issues/2546

---
 src/etc/inc/filter.lib.inc                         | 14 ++++++++++----
 .../mvc/app/library/OPNsense/Firewall/Plugin.php   |  2 --
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index 2866aa215..3637385b5 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -307,27 +307,33 @@ function filter_core_rules_system($fw, $defaults)
     // block bogons and private nets
     $bogontmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologbogons']), 'disablereplyto' => 1);
     $privtmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologprivatenets']),
-      'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7',
+      'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16',
       'disablereplyto' => 1);
     foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) {
         $fw->registerFilterRule(5,
-          array('from' => "<bogons>", 'direction' => 'in', 'interface' => $intf,
+          array('from' => "<bogons>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',
             'label' => "block bogon IPv4 networks from ".$intfinfo['descr'],
             'disabled' => !isset($intfinfo['blockbogons'])),
           $bogontmpl
         );
         $fw->registerFilterRule(5,
-          array('from' => "<bogonsv6>", 'direction' => 'in', 'interface' => $intf,
+          array('from' => "<bogonsv6>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6',
             'disabled' => !isset($config['system']['ipv6allow']) || !isset($intfinfo['blockbogons']),
             'label' => "block bogon IPv6 networks from ".$intfinfo['descr']),
           $bogontmpl
         );
         $fw->registerFilterRule(5,
-          array('direction' => 'in', 'interface' => $intf,
+          array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',
             'label' => "Block private networks from ".$intfinfo['descr'],
             'disabled' => !isset($intfinfo['blockpriv'])),
           $privtmpl
         );
+        $fw->registerFilterRule(5,
+          array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6',
+            'label' => "Block private networks from ".$intfinfo['descr'],
+            'disablereplyto' => 1, 'from' => 'fc00::/7',
+            'disabled' => !isset($intfinfo['blockpriv']))
+        );
     }
 
     // interface configuration per type
diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
index 88beb2897..d01de8e3f 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@@ -85,8 +85,6 @@ class Plugin
                 $this->interfaceMapping[$key . '_stf'] = array();
                 $this->interfaceMapping[$key . '_stf']['if'] = $key . '_stf'; // TODO: rename to technical name
                 $this->interfaceMapping[$key . '_stf']['ifconfig']['ipv6'] = $intf['ifconfig']['ipv6'];
-                $this->interfaceMapping[$key . '_stf']['blockbogons'] = isset($intf['blockbogons']);
-                $this->interfaceMapping[$key . '_stf']['blockpriv'] = isset($intf['blockpriv']);
                 $this->interfaceMapping[$key . '_stf']['gatewayv6'] = $intf['gatewayv6'];
                 $this->interfaceMapping[$key . '_stf']['descr'] = $intf['descr'];
                 // link original interface