On 2023-04-12, Gabor LENCSE <len...@hit.bme.hu> wrote: > Hi, > > On 4/12/2023 12:09 AM, Nicolas Goy wrote: >> On Fri, 2023-04-07 at 10:30 +0000, Stuart Henderson wrote: >>> On 2023-04-04, Nicolas Goy<m...@kuon.ch> wrote: >>> >>> >>> Looking at pf.conf(5) for syntax I just tried something fairly >>> obvious: >>> >>> pass in quick log proto tcp from any to $v4_address port 8383 af-to >>> inet6 from $dummy_v6_address to $listening_v6_address >>> >> Yeah, but as you said, you lose source address. >> >> I was trying to get the effect that the source address would be changed >> in a predictable way. >> >> For example, instead of dummy_v6_address, you give a /96 subnet, and >> the source ipv4 would be put in the last 32 bits. But af-to seems to be >> only able to do that with destination. >> > AFAIK, af_to is for implementing stateful NAT64. > > For example, if you write: > > pass in on ix0 inet6 from any to 64:ff9b::/96af-to inet from 192.0.2.1 > > Then PF will use the last 32 bits of the destination IPv6 address as the > destination IPv4 address, and 192.0.2.1 as the source IPv4 address > (where 192.0.2.1 is the public IPv4 address of the stateful NAT64 gateway).
That's for the opposite translation (v6 connection to "fake" addresses mapped to v4). Nicolas wants the other direction. af-to can do that as well, to a fixed address, but doesn't currently have a way to extract the v4 address and embed it in a fake v6 address.
