Automatic rule IPv4 only

Started by dinguz, February 24, 2026, 04:03:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 24, 2026, 04:03:34 PM
I have an IPv6-enabled system, and noticed that the automatically generated rule 'let out anything from firewall host itself' is IPv4 only, and I couldn't find a similar rule for IPv6. Are more people seeing this?
In theory there is no difference between theory and practice. In practice there is.
February 24, 2026, 05:21:42 PM #1
Hello :)

This code in the legacy page is a bit wild in my opinion:

https://github.com/opnsense/core/blob/master/src/www/firewall_rules.php#L54-L68

So, yes, it's a bug but only a visual one. We will discuss what to do.

A ticket is appreciated so this won't be forgotten.


Cheers,
Franco
February 24, 2026, 08:29:48 PM #2
In theory there is no difference between theory and practice. In practice there is.
Today at 12:18:01 AM #3 Last Edit: Today at 12:46:04 AM by pfry
Has this changed? The form as of 25.7.11 is:

pass out log all flags S/SA keep state allow-opts label "[label]"

No IP version specified. Edit: The GUI shows IP4+IPv6. Second edit: Bah! I see: In the Automation rules (again, 25.7.11). The default deny rule is a pair.
Today at 07:04:49 AM #4
If you look at the code I referenced it mocks the IPvX display based on the source and destination of the rule in the legacy GUI when it's not there meaning both IP families.  This is a wider issue than just this single rule.  It may be better to avoid guessing and just display "*" if we don't explicitly know cut down the code.


Cheers,
Franco
Today at 07:22:31 AM #5
Today at 09:24:16 AM #6
Print
Go Up Pages1
User actions