On Fri, Jan 15, 2021 at 01:30:01PM +0100, Alexander Bluhm wrote: > sysctl net.inet.ip.forwarding is checked before ip_input() passes > the packet to ip_forward(). But with an af-to rule, pf(4) calls > ip_forward() directly. I think we should check the sysctl also in > pf to get consistent behaviour. Existing routers doing NAT64 for IPv6-only networks will require `net.inet.ip.forwarding=1' for NAT64 to work.
There has not been a need for it on such routers, i.e. my home box only has `net.inet6.ip6.forwarding=1' in /etc/sysctl.conf so far. I'd say we should make that clear with a current.html entry. Either way, I think that diff makes sense. OK kn
