From eccf93e2fd033d9ec7d661490b3281f22a48b664 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 12 Jan 2024 12:27:09 +0100
Subject: [PATCH] firewall: put the validation back lost in the refactor;
 closes #6383

We may have to extend to SLAAC as well, but let's see how this works
in practice first.
---
 .../app/models/OPNsense/Firewall/Filter.php   | 26 +++++++++++++++----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 7aa322e84..df707ba97 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -40,6 +40,8 @@ class Filter extends BaseModel
      */
     public function performValidation($validateFullModel = false)
     {
+        $config = Config::getInstance()->object();
+
         // standard model validations
         $messages = parent::performValidation($validateFullModel);
         foreach ([$this->rules->rule, $this->snatrules->rule] as $rules) {
@@ -95,14 +97,28 @@ class Filter extends BaseModel
                 }
             }
         }
+
         foreach ($this->npt->rule->iterateItems() as $rule) {
             if ($validateFullModel || $rule->isFieldChanged()) {
-                if (!empty((string)$rule->destination_net) && !empty((string)$rule->trackif)) {
-                    $messages->appendMessage(new Message(
-                        gettext("A track interface is only allowed without an extrenal prefix."),
-                        $rule->trackif->__reference
-                    ));
+                if (!empty((string)$rule->trackif)) {
+                    if (!empty((string)$rule->destination_net)) {
+                        $messages->appendMessage(new Message(
+                            gettext('A track interface is only allowed without an external prefix.'),
+                            $rule->trackif->__reference
+                        ));
+                    }
+
+                    if ((empty($config->interfaces->{$rule->interface}->ipaddrv6) ||
+                        $config->interfaces->{$rule->interface}->ipaddrv6 != 'dhcp6') ||
+                        empty($config->interfaces->{$rule->trackif}->{'track6-interface'}) ||
+                        $config->interfaces->{$rule->trackif}->{'track6-interface'} != (string)$rule->interface) {
+                        $messages->appendMessage(new Message(
+                            gettext('This interface is not tracking the current rule interface.'),
+                            $rule->trackif->__reference
+                        ));
+                    }
                 }
+
                 if (!empty((string)$rule->destination_net) && !empty((string)$rule->source_net)) {
                     /* defaults to /128 */
                     $dparts = explode('/', (string)$rule->destination_net . '/128');