firewall: put the validation back lost in the refactor; closes #6383

We may have to extend to SLAAC as well, but let's see how this works in practice first.
2026-03-13 16:14:40 +00:00 · 2024-01-12 12:27:09 +01:00 · 2024-01-12 12:27:09 +01:00 · eccf93e2fd
commit eccf93e2fd
parent cfc2c709e4
1 changed files with 21 additions and 5 deletions
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@ -40,6 +40,8 @@ class Filter extends BaseModel
     */
    public function performValidation($validateFullModel = false)
    {
+        $config = Config::getInstance()->object();
+
        // standard model validations
        $messages = parent::performValidation($validateFullModel);
        foreach ([$this->rules->rule, $this->snatrules->rule] as $rules) {
@ -95,14 +97,28 @@ class Filter extends BaseModel
                }
            }
        }
+
        foreach ($this->npt->rule->iterateItems() as $rule) {
            if ($validateFullModel || $rule->isFieldChanged()) {
-                if (!empty((string)$rule->destination_net) && !empty((string)$rule->trackif)) {
-                    $messages->appendMessage(new Message(
-                        gettext("A track interface is only allowed without an extrenal prefix."),
-                        $rule->trackif->__reference
-                    ));
+                if (!empty((string)$rule->trackif)) {
+                    if (!empty((string)$rule->destination_net)) {
+                        $messages->appendMessage(new Message(
+                            gettext('A track interface is only allowed without an external prefix.'),
+                            $rule->trackif->__reference
+                        ));
+                    }
+
+                    if ((empty($config->interfaces->{$rule->interface}->ipaddrv6) ||
+                        $config->interfaces->{$rule->interface}->ipaddrv6 != 'dhcp6') ||
+                        empty($config->interfaces->{$rule->trackif}->{'track6-interface'}) ||
+                        $config->interfaces->{$rule->trackif}->{'track6-interface'} != (string)$rule->interface) {
+                        $messages->appendMessage(new Message(
+                            gettext('This interface is not tracking the current rule interface.'),
+                            $rule->trackif->__reference
+                        ));
+                    }
                }
+
                if (!empty((string)$rule->destination_net) && !empty((string)$rule->source_net)) {
                    /* defaults to /128 */
                    $dparts = explode('/', (string)$rule->destination_net . '/128');