Bug ID 506452: Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
12.0.0, 11.5.2 HF1

Opened: Feb 12, 2015
Severity: 3-Major

Symptoms

Sometime the firewall rule matching result is wrong if there are firewall rules configured with source or destination IPv6 address whose most significant bit is 1. Below are some examples of those IPv6 address: dfdf::/128, bbbb://64.

Impact

The firewall rule with those IPv6 addresses may accept or deny packets that do not match the rule.

Conditions

Firewall rules are configured with source or destination IPv6 address whose most significant bit is 1.

Workaround

None

Fix Information

Fixed the firewall rule compilation module to properly handle the processing of those IPv6 addresses whose most significant bit is 1.

Behavior Change