Hi,
It's great in PF to be able use an interface name in a PF rule, and that's
internally substituted with the IP address(es) on that interface.
This means you can have neat rules like:
pass out quick on vlan10 inet from vlan10 to !vlan10:network nat-to lo1
This not only means you are not hard coding IPs and having to keep them
up-to-date, but also means that a ruleset can be shared between hosts in a
firewall pair, without having to have host-specific changes.
However, this does not work with IPv6, because vlan10 translates to the
link-local address (fe80::) instead of the real address on the interface.
This is a bug, IMO. I'm not sure why you'd want the link local address in
there... and to my knowledge, there isn't a way of forcing it to use the real
IP.
While i'm on, can I also suggest:
- :0 can be used as a modifier to not add alias addresses. Can I request the
ability to have further integers to select which IP should be used, eg: :1
should be the second address etc.
- The ability to do { inet, inet6 } to have a single rule for both ipv4 + ipv6
and it be expanded out.
Thanks,
Ian
