Date: Sun, 28 Sep 2014 00:17:18 -0400 From: Russell Yount <russell.yount@gmail.com> To: freebsd-pf@freebsd.org Cc: Russell Yount <russell.yount@gmail.com> Subject: pf IPv6 NAT using link local addresses Message-ID: <CA%2BstrHHaGpkGVeu8Nn-pTL5r32VzvN76SODH3KxgGyYUkF1_nQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--001a113491e40382fe0504186da1
Content-Type: text/plain; charset=UTF-8
Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as
nat on $external inet6 from $local6 to any -> ($external)
results in pf attempting to load balance between the routable IPv6
addresses and the link-local IPv6 address as the translation addresses.
Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as
nat on $external inet6 from $local6 to any -> ($external:0)
results in pf using the link-local IPv6 address as address as the
translation address.
Both of these behaviors are wrong; pf does not understand scope of IPv6
link-local addresses as different from routable ipV6 addresses.
The following patch permits the use of ($external::0) syntax to select the
first routable IPv6 address rather than the link-local address so it can be
used with IPv6 NAT correctly. It only handles the case of one routable IPV6
address and ($external) syntax still attempts to round-robin between
routable IPv6 addresses and the link-local IPv6 address. Not sure if
changing ($external) syntax to omit link-local addresses would cause other
problems?
-Russ <russell.yount@gmail.com>
--- usr/src/sys/contrib//pf/net/pf_if.c-orig 2014-07-10
17:59:41.000000000 -0400
+++ usr/src/sys/contrib//pf/net/pf_if.c 2014-08-24 18:13:57.000000000 -0400
@@ -690,6 +690,10 @@
IN6_IS_ADDR_LINKLOCAL(
&((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
continue;
+ if ((flags & PFI_AFLAG_NOALIAS) && af == AF_INET6 &&
+ IN6_IS_ADDR_LINKLOCAL(
+ &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
+ continue;
if (flags & PFI_AFLAG_NOALIAS) {
if (af == AF_INET && got4)
continue;
--001a113491e40382fe0504186da1
Content-Type: application/octet-stream; name="freebsd-9.3-pf-ipv6-nat.patch"
Content-Disposition: attachment; filename="freebsd-9.3-pf-ipv6-nat.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_i0lue1010
LS0tIHVzci9zcmMvc3lzL2NvbnRyaWIvL3BmL25ldC9wZl9pZi5jLW9yaWcJMjAxNC0wNy0xMCAx
Nzo1OTo0MS4wMDAwMDAwMDAgLTA0MDAKKysrIHVzci9zcmMvc3lzL2NvbnRyaWIvL3BmL25ldC9w
Zl9pZi5jCTIwMTQtMDgtMjQgMTg6MTM6NTcuMDAwMDAwMDAwIC0wNDAwCkBAIC02OTAsNiArNjkw
LDEwIEBACiAJCSAgICBJTjZfSVNfQUREUl9MSU5LTE9DQUwoCiAJCSAgICAmKChzdHJ1Y3Qgc29j
a2FkZHJfaW42ICopaWEtPmlmYV9hZGRyKS0+c2luNl9hZGRyKSkKIAkJCWNvbnRpbnVlOworCQlp
ZiAoKGZsYWdzICYgUEZJX0FGTEFHX05PQUxJQVMpICYmIGFmID09IEFGX0lORVQ2ICYmCisJCSAg
ICBJTjZfSVNfQUREUl9MSU5LTE9DQUwoCisJCSAgICAmKChzdHJ1Y3Qgc29ja2FkZHJfaW42ICop
aWEtPmlmYV9hZGRyKS0+c2luNl9hZGRyKSkKKwkJCWNvbnRpbnVlOwogCQlpZiAoZmxhZ3MgJiBQ
RklfQUZMQUdfTk9BTElBUykgewogCQkJaWYgKGFmID09IEFGX0lORVQgJiYgZ290NCkKIAkJCQlj
b250aW51ZTsK
--001a113491e40382fe0504186da1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BstrHHaGpkGVeu8Nn-pTL5r32VzvN76SODH3KxgGyYUkF1_nQ>