From owner-freebsd-pf@FreeBSD.ORG  Sun Sep 28 04:17:19 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 16EEB7DE
 for <freebsd-pf@freebsd.org>; Sun, 28 Sep 2014 04:17:19 +0000 (UTC)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com
 [IPv6:2607:f8b0:4001:c05::234])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id DA0A7CC2
 for <freebsd-pf@freebsd.org>; Sun, 28 Sep 2014 04:17:18 +0000 (UTC)
Received: by mail-ig0-f180.google.com with SMTP id a13so1622514igq.1
 for <freebsd-pf@freebsd.org>; Sat, 27 Sep 2014 21:17:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:cc:content-type;
 bh=BEOkGDgxBxVM2BBbLTBvVNQASoEM43bqh5QIWdI8RKs=;
 b=L6+RZfAu9JwB1vmUNAC1jzqKy7oPqj6QZ5jWmxHCcqHdNQHYLPpEXkDN/UodCbBJyr
 7gsy/ti6oBvgOCxVj0VLFKGhnTbSRNEtEJxaZ/cytKDhAsStXfWb27brxYlOOZXTV9Np
 CXLHgBdlvKa1RUCSEj/HrZiag8ZDIrAVnk2PT/EKY0gA3BRULhRe5M355OC0+m59Ggmv
 04I56I9lZsehIm+pL09FW9BuZAw7tVWekKYlNdW6bCotiI6yJq04cHciY/H1+3Xyfqx/
 DmNtJ0PliF4ALJFGIM4XTDcnm33gVVccA+qmp5S3/UCINkTzVevRQWohyS0JkCRw3eKE
 xhbw==
MIME-Version: 1.0
X-Received: by 10.51.17.2 with SMTP id ga2mr32952977igd.2.1411877838217; Sat,
 27 Sep 2014 21:17:18 -0700 (PDT)
Received: by 10.42.185.82 with HTTP; Sat, 27 Sep 2014 21:17:18 -0700 (PDT)
Date: Sun, 28 Sep 2014 00:17:18 -0400
Message-ID: <CA+strHHaGpkGVeu8Nn-pTL5r32VzvN76SODH3KxgGyYUkF1_nQ@mail.gmail.com>
Subject: pf IPv6 NAT using link local addresses
From: Russell Yount <russell.yount@gmail.com>
To: freebsd-pf@freebsd.org
Content-Type: multipart/mixed; boundary=001a113491e40382fe0504186da1
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: Russell Yount <russell.yount@gmail.com>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Sep 2014 04:17:19 -0000

--001a113491e40382fe0504186da1
Content-Type: text/plain; charset=UTF-8

Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as

     nat on $external inet6 from $local6 to any -> ($external)

results in pf attempting to load balance between the routable IPv6
addresses and the link-local IPv6 address as the translation addresses.

Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as

     nat on $external inet6 from $local6 to any -> ($external:0)

results in pf using the link-local IPv6 address as address as the
translation address.

Both of these behaviors are wrong; pf does not understand scope of IPv6
link-local addresses as different from routable ipV6 addresses.

The following patch permits the use of ($external::0) syntax to select the
first routable IPv6 address rather than the link-local address so it can be
used with IPv6 NAT correctly. It only handles the case of one routable IPV6
address and ($external) syntax still attempts to round-robin between
routable IPv6 addresses and the link-local IPv6 address. Not sure if
changing ($external) syntax to omit link-local addresses would cause other
problems?

-Russ <russell.yount@gmail.com>

--- usr/src/sys/contrib//pf/net/pf_if.c-orig    2014-07-10
17:59:41.000000000 -0400
+++ usr/src/sys/contrib//pf/net/pf_if.c 2014-08-24 18:13:57.000000000 -0400
@@ -690,6 +690,10 @@
                    IN6_IS_ADDR_LINKLOCAL(
                    &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
                        continue;
+               if ((flags & PFI_AFLAG_NOALIAS) && af == AF_INET6 &&
+                   IN6_IS_ADDR_LINKLOCAL(
+                   &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
+                       continue;
                if (flags & PFI_AFLAG_NOALIAS) {
                        if (af == AF_INET && got4)
                                continue;

--001a113491e40382fe0504186da1
Content-Type: application/octet-stream; name="freebsd-9.3-pf-ipv6-nat.patch"
Content-Disposition: attachment; filename="freebsd-9.3-pf-ipv6-nat.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_i0lue1010

LS0tIHVzci9zcmMvc3lzL2NvbnRyaWIvL3BmL25ldC9wZl9pZi5jLW9yaWcJMjAxNC0wNy0xMCAx
Nzo1OTo0MS4wMDAwMDAwMDAgLTA0MDAKKysrIHVzci9zcmMvc3lzL2NvbnRyaWIvL3BmL25ldC9w
Zl9pZi5jCTIwMTQtMDgtMjQgMTg6MTM6NTcuMDAwMDAwMDAwIC0wNDAwCkBAIC02OTAsNiArNjkw
LDEwIEBACiAJCSAgICBJTjZfSVNfQUREUl9MSU5LTE9DQUwoCiAJCSAgICAmKChzdHJ1Y3Qgc29j
a2FkZHJfaW42ICopaWEtPmlmYV9hZGRyKS0+c2luNl9hZGRyKSkKIAkJCWNvbnRpbnVlOworCQlp
ZiAoKGZsYWdzICYgUEZJX0FGTEFHX05PQUxJQVMpICYmIGFmID09IEFGX0lORVQ2ICYmCisJCSAg
ICBJTjZfSVNfQUREUl9MSU5LTE9DQUwoCisJCSAgICAmKChzdHJ1Y3Qgc29ja2FkZHJfaW42ICop
aWEtPmlmYV9hZGRyKS0+c2luNl9hZGRyKSkKKwkJCWNvbnRpbnVlOwogCQlpZiAoZmxhZ3MgJiBQ
RklfQUZMQUdfTk9BTElBUykgewogCQkJaWYgKGFmID09IEFGX0lORVQgJiYgZ290NCkKIAkJCQlj
b250aW51ZTsK
--001a113491e40382fe0504186da1--