Any IPv6 destination is allowed in ACL

[gstorme]

Describe the bug
For every ACL created without any IPv6 destinations, an ip6 saddr entry is created with an accept, without a ip6 daddr.
This causes any IPv6 enabled client to reach any IPv6 destination.

We have this configured on the location:

• Enable ACL for this location
• Default ACL Policy: Deny

To Reproduce
Create a location with ACL enabled and default policy deny.
Specify an IPv6 address on the location settings.
Create an ACL rule with only IPv4 destinations.

Expected behavior
This ACL should not create the rule for ip6 saddr, unless IPv6 destinations are specified in the ACL, so the rule can include a ip6 daddr

Version information

• Defguard Core version: v1.6.1
• Defguard Gateway version: v1.6.0
• Operating system and version running the gateway: Debian 13

Additional context
This rule is created by the ACL, where I only allowed "1.1.1.1, 2.2.2.2" in the destinations.

ip saddr { 10.99.0.2-10.99.0.25, 10.99.0.27-10.99.0.107 } ip daddr { 1.1.1.1, 2.2.2.2 } counter packets 0 bytes 0 accept comment "ACL 62 - example ALLOW"
ip6 saddr { 2a00:masked:fff1:3000::2-2a00:masked:fff1:3000::10, 2a00:masked:fff1:3000::501-2a00:masked:fff1:3000::510, 2a00:masked:fff1:3000::512-2a00:masked:fff1:3000::518, 2a00:masked:fff1:3000::51a-2a00:masked:fff1:3000::537, 2a00:masked:fff1:3000::539-2a00:masked:fff1:3000::55d } counter packets 0 bytes 0 accept comment "ACL 62 - example ALLOW"
ip saddr { 0.0.0.0/0 } ip daddr { 1.1.1.1, 2.2.2.2 } counter packets 0 bytes 0 drop comment "ACL 62 - example DENY"
ip6 saddr { ::/0 } counter packets 0 bytes 0 drop comment "ACL 62 - example DENY"

[jakub-tldr]

Hello @gstorme,

Thanks for the detailed report,
We’ve acknowledged this as a bug and will look into it. We’ll update this issue once we have more information or a fix available.