pf IPv6 NAT using link local addresses
Russell Yount
russell.yount at gmail.com
Sun Sep 28 04:17:19 UTC 2014
Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as
nat on $external inet6 from $local6 to any -> ($external)
results in pf attempting to load balance between the routable IPv6
addresses and the link-local IPv6 address as the translation addresses.
Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as
nat on $external inet6 from $local6 to any -> ($external:0)
results in pf using the link-local IPv6 address as address as the
translation address.
Both of these behaviors are wrong; pf does not understand scope of IPv6
link-local addresses as different from routable ipV6 addresses.
The following patch permits the use of ($external::0) syntax to select the
first routable IPv6 address rather than the link-local address so it can be
used with IPv6 NAT correctly. It only handles the case of one routable IPV6
address and ($external) syntax still attempts to round-robin between
routable IPv6 addresses and the link-local IPv6 address. Not sure if
changing ($external) syntax to omit link-local addresses would cause other
problems?
-Russ <russell.yount at gmail.com>
--- usr/src/sys/contrib//pf/net/pf_if.c-orig 2014-07-10
17:59:41.000000000 -0400
+++ usr/src/sys/contrib//pf/net/pf_if.c 2014-08-24 18:13:57.000000000 -0400
@@ -690,6 +690,10 @@
IN6_IS_ADDR_LINKLOCAL(
&((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
continue;
+ if ((flags & PFI_AFLAG_NOALIAS) && af == AF_INET6 &&
+ IN6_IS_ADDR_LINKLOCAL(
+ &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
+ continue;
if (flags & PFI_AFLAG_NOALIAS) {
if (af == AF_INET && got4)
continue;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freebsd-9.3-pf-ipv6-nat.patch
Type: application/octet-stream
Size: 522 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20140928/973a18de/attachment.obj>
More information about the freebsd-pf
mailing list