Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as
nat on $external inet6 from $local6 to any -> ($external)
results in pf attempting to load balance between the routable IPv6
addresses and the link-local IPv6 address as the translation addresses.
Specify IPv6 NAT with FreeBSD 9.3 in pf.conf as
nat on $external inet6 from $local6 to any -> ($external:0)
results in pf using the link-local IPv6 address as address as the
translation address.
Both of these behaviors are wrong; pf does not understand scope of IPv6
link-local addresses as different from routable ipV6 addresses.
The following patch permits the use of ($external::0) syntax to select the
first routable IPv6 address rather than the link-local address so it can be
used with IPv6 NAT correctly. It only handles the case of one routable IPV6
address and ($external) syntax still attempts to round-robin between
routable IPv6 addresses and the link-local IPv6 address. Not sure if
changing ($external) syntax to omit link-local addresses would cause other
problems?
-Russ <russell.yo...@gmail.com>
--- usr/src/sys/contrib//pf/net/pf_if.c-orig 2014-07-10
17:59:41.000000000 -0400
+++ usr/src/sys/contrib//pf/net/pf_if.c 2014-08-24 18:13:57.000000000 -0400
@@ -690,6 +690,10 @@
IN6_IS_ADDR_LINKLOCAL(
&((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
continue;
+ if ((flags & PFI_AFLAG_NOALIAS) && af == AF_INET6 &&
+ IN6_IS_ADDR_LINKLOCAL(
+ &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
+ continue;
if (flags & PFI_AFLAG_NOALIAS) {
if (af == AF_INET && got4)
continue;
freebsd-9.3-pf-ipv6-nat.patch
Description: Binary data
_______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
