Re: IPv6 and IPv4 combined rules in pf.conf

On 8 May 2024, at 22:41, Dirk-Willem van Gulik <dirkx@webweaving.org> wrote:
> 
>> On 8 May 2024, at 22:14, Lexi Winter <lexi@le-fay.org> wrote:
>> 
>> Dirk-Willem van Gulik:
>>> For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are
>>> listening to - is there a recommended way to setup pf.conf to avoid
>>> mistakes/duplication ?
>> 
>>> To avoid duplication in constructs such as:
>> 
>>> 	# Foo app servers
>>> 	foobarserver_host4=231.17.X.Y
>>> 	foobarserver_host6=fe80::5246:…
>>> 
>>> 	# Load balancers  - direct or via tun0 in post/fail-back 
>>> 	bar_net=X.Y.Z.Z # 
>>> 	bar_net6=fe80::5246:… # 
>>> 	…
>>> 
>>> 	pass in on { tun0, $ext_if }  proto udp from $bar_net  to $foobarserver_host4 port 2194 keep state
>>> 	pass in on { tun0, $ext_if }  proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state
>> 
>>> Is there some recommended way of doing this in stock FreeBSD ? Or does
>>> one usually end up with some sort of macro/generate style solution ?
>> 
>> i would suggest something like this:
>> 
>> 	table <foobarserver> {
>> 		231.17.X.Y
>> 		fe80::5246:...
>> 	}
>> 
>> 	table <bar-net> {
>> 		...
>> 	}
>> 
>> 	pass on { tun0, $ext_if } proto udp from <bar-net> \
>> 		to <foobarserver> port 2194
> 
> Ok - excellent - șo one can mix IPv4 and IPv6 in a list - and ‘udp’ no longer needs to be ‘udp6’ (and same for tcp6 and icmp6 v.s. tcp/icmp_— pf guesses this right based on the address ?

Ignore - that works perfectly - with inet/inet6 thrown in where I need to make the distinction.

Thanks !

Dw.