On 2022-08-16, Jason Healy <[email protected]> wrote: > I'm now trying to handle the opposite (NAT46), so external v4-only hosts can > reach my v6-only servers. I'm able to get the packets delivered, but the > translated source address is "squashed" to a single IP and I'd like it to > contain the embedded v4 src address. > > Example setup: > > External client IPv4: 203.0.113.4 > My public IPv4: 198.51.100.4 > My internal IPv6: 2001:0db8::6 > My internal NAT64 prefix: 2001:0db8:6464::/96 > > Client contacts my public IPv4: > > 203.0.113.4 -> 198.51.100.4 > > I want PF to translate the packet so the IPv4 source is embedded in the > translated source: > > 2001:0db8:6464::cb00:7104 -> 2001:0db8::6 > > The closest I've gotten is: > > pass in on $wan inet to 198.51.100.4 af-to inet6 from 2001:0db8:6464::/96 to > 2001:0db8::6 > > The packets are delivered and translated, but the source address gets > squashed to the literal "2001:0db8:6464::". I'd want the client's > "203.0.113.4" put over the low-order bits of the source address as > "cb00:7104". > > Essentially, I want stateless NAT46. I realize PF is always stateful and > thus doesn't *need* to embed the source to track the packets, but in this > case having it would let me run log analysis on the host without having to > consult the firewall. > > I've been over the options in PF but can't find anything that will allow me > to specify that the SOURCE address have a v4 embedded in it. > > Am I missing anything?
I don't think you have, seems that you'll need code changes for that (in the kernel and a way to configure it in pfctl). It might be easier to hack an implementation into place in relayd's AF translation (relay.c) rather than in PF. -- Please keep replies on the mailing list.
