interface modifiers :network and :0 picking different subnets for IPv6

Mon, 27 Jan 2020 05:55:19 -0800 

Hi all,

Following up from my previous (PEBKAC) issue[1], I kept working on my
ruleset.  I found, what I believe to be, another issue.  Here's the
reduced ruleset that reproduces the problem:

[root@ferrari] # cat pf.tmp
IntIF=em1
# only allow DNS to the unbound instance listening on em1 (v4 and v6)
block in on $IntIF proto { tcp, udp } from $IntIF:network to ! $IntIF:0 port 
domain
[root@ferrari] # pfctl -nvf pf.tmp
IntIF = "em1"
block drop in on em1 inet6 proto tcp from 2a02:898:28:300::/64 to ! 
fe80::2e0:67ff:fe15:cc6d port = 53
block drop in on em1 inet6 proto udp from 2a02:898:28:300::/64 to ! 
fe80::2e0:67ff:fe15:cc6d port = 53
block drop in on em1 inet proto tcp from 192.168.150.0/24 to ! 192.168.150.1 
port = 53
block drop in on em1 inet proto udp from 192.168.150.0/24 to ! 192.168.150.1 
port = 53

The problem is in the IPv6 rules.  Here "em1:network" expands to the
global unicast network configured on the interface but "em1:0" expands
to the link-local address.  This doesn't really make sense to me.  If
both would expand to the link-local version, that would be unfortunate
but understandable.  I'm hoping to have both expand to the global
unicast version ("from 2a02:898:28:300::/64 to ! 2a02:898:28:300::1").

Why is pfctl picking different addresses for these two modifiers?

This is the interface configuration:

[root@ferrari] # ifconfig em1
em1: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
        lladdr 00:e0:67:15:cc:6d
        description: LAN
        index 2 priority 0 llprio 3
        groups: lan
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::2e0:67ff:fe15:cc6d%em1 prefixlen 64 scopeid 0x2
        inet6 2a02:898:28:300::1 prefixlen 64
        inet6 2a02:898:28:300::2 prefixlen 128
        inet 192.168.150.1 netmask 0xffffff00 broadcast 192.168.150.255
        inet 192.168.150.2 netmask 0xffffffff

Is there a way to tell pf to use the global unicast address for em1:0
other than hardcoding the address in the ruleset?

Cheers,

Paul 'WEiRD' de Weerd

[1]: https://marc.info/?l=openbsd-misc&m=157994923220390&w=2

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to