From nobody Wed May 08 20:14:27 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VZRFT46TKz5K6ZS for ; Wed, 08 May 2024 20:14:37 +0000 (UTC) (envelope-from lexi@le-fay.org) Received: from fuchsia.eden.le-Fay.ORG (fuchsia.eden.le-fay.org [IPv6:2001:8b0:aab5:107::11]) by mx1.freebsd.org (Postfix) with ESMTP id 4VZRFT0cLZz4Jnp for ; Wed, 8 May 2024 20:14:37 +0000 (UTC) (envelope-from lexi@le-fay.org) Authentication-Results: mx1.freebsd.org; none Received: from iris.eden.le-Fay.ORG (iris.eden.le-fay.org [IPv6:2001:8b0:aab5:106:3::6]) by fuchsia.eden.le-Fay.ORG (Postfix) with ESMTP id 24B11BB44; Wed, 08 May 2024 20:14:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=le-fay.org; s=fuchsia; t=1715199268; bh=nsBjAu/3bzctlvpky9st3o5ABpYCzJjXV1l2yl/Iyvo=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=hVzbeTZXHHHUuavE25gWvUS5HVcPSIF5gO2LbJcOgAfe2mhOZPUlHHvMG/H+sQh6E v9ymtdHA3VCCpmVO15lvAt7QF6Yoj7Qum1QUk5TjgyDuCpdwSDX+LhKoiRUp3vqGO/ l9s1yiOK1L7W9jDvKDN6DDnjzADX8u5t38UAxsGM= Received: from ilythia.eden.le-fay.org (ilythia.eden.le-fay.org [IPv6:2001:8b0:aab5:106:3::10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by iris.eden.le-Fay.ORG (Postfix) with ESMTPSA id 425572C04D7; Wed, 08 May 2024 21:14:28 +0100 (BST) Date: Wed, 8 May 2024 21:14:27 +0100 From: Lexi Winter To: Dirk-Willem van Gulik Cc: FreeBSD Hackers Subject: Re: IPv6 and IPv4 combined rules in pf.conf Message-ID: References: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org> List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="UIAKpieOOX7RD9VB" Content-Disposition: inline In-Reply-To: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org> X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:20712, ipnet:2001:8b0::/32, country:GB] X-Rspamd-Queue-Id: 4VZRFT0cLZz4Jnp --UIAKpieOOX7RD9VB Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dirk-Willem van Gulik: > For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are > listening to - is there a recommended way to setup pf.conf to avoid > mistakes/duplication ? =20 > To avoid duplication in constructs such as: =20 > # Foo app servers > foobarserver_host4=3D231.17.X.Y > foobarserver_host6=3Dfe80::5246:=E2=80=A6 >=20 > # Load balancers - direct or via tun0 in post/fail-back=20 > bar_net=3DX.Y.Z.Z #=20 > bar_net6=3Dfe80::5246:=E2=80=A6 #=20 > =E2=80=A6 >=20 > pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_= host4 port 2194 keep state > pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarse= rver_host6 port 2194 keep state =20 > Is there some recommended way of doing this in stock FreeBSD ? Or does > one usually end up with some sort of macro/generate style solution ? i would suggest something like this: table { 231.17.X.Y fe80::5246:... } table { ... } pass on { tun0, $ext_if } proto udp from \ to port 2194 alternatively, if 'foobarserver' is the local host, you can simply do: pass in on { tun0, $ext_if } proto udp from \ to self port 2194 note that in either case pf doesn't need 'keep state'. --UIAKpieOOX7RD9VB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmY73SAACgkQDHqbqZ41 x5lCVQv/c5UQ0eY0WwkRQki/5hZfME2DFwF7Q/hVTLmeprW+IjNZf5Ufn3bJLeoz walPBYuf0iEuQiSOnDAbk93rMAZO4arts8zIN6VtlnuJ8t2hKkIdaO9hqdae5y7d X7I3Y315Goetjcuqxnn9QaHT7LKTvEGfv58CB0oFtXT4YmoFtmooPSsq6Gps8o4j Aar57QmEBUyoFoqy6x2WdJzyHiolKO1RmpKWQereZJVF/WuJ9W2ljSP9h38XfhyG jszwxmMF26XpPYb7FBhxisrSEyVq9yVOoJ4pNkAC9ysSr14mvoFMcgTyszkwIDGu qnyc2Net45ipIFfEkD3HsHPuAnK2rDIhgj9VaIq+cz6v1KiefMyB1QcmOQ3atS33 D3vclDUahXUk6rpFDqmvGiIgcGvxRNbCxBNP7pFJgRhSpcIhxqB5+oTguVXO/5Ed 6RSMQINdZQJiIqTnxdtLmnYX9inv7qS+j4I4+lRdJgvKqQOdNOwutZMwy3xROdYZ wxHo3BCm =Pijn -----END PGP SIGNATURE----- --UIAKpieOOX7RD9VB--