>Synopsis: pf.conf: modifier :0 doesn't work for IPv6 addresses
>Category: system amd64
>Environment:
System : OpenBSD 7.4
Details : OpenBSD 7.4 (GENERIC) #2: Fri Dec 8 15:38:40 MST 2023
r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
The pf.conf manpage states:
Interface names, interface group names, and self can have
modifiers appended:
:0 Do not include interface aliases.
It appears the :0 modifier only works for IPv4 addresses. If this is
by design, it should be mentioned in the pf.conf manpage.
>How-To-Repeat:
vm# cat /etc/hostname.vio0
inet 100.64.0.2/24
inet alias 100.64.0.3/24
inet6 fd00::2/64
inet6 alias fd00::3/64
vm# ifconfig vio0 | grep inet
inet 100.64.0.2 netmask 0xffffff00 broadcast 100.64.0.255
inet 100.64.0.3 netmask 0xffffff00 broadcast 100.64.0.255
inet6 fe80::fce1:bbff:fed1:1d84%vio0 prefixlen 64 scopeid 0x1
inet6 fd00::2 prefixlen 64
inet6 fd00::3 prefixlen 64
pf.conf rule:
# pass in SSH from mngmt hosts
pass in quick on egress proto tcp from <mngmt> to egress port ssh
as expected, pfctl -sr shows:
pass in quick on egress inet proto tcp from <mngmt> to 100.64.0.2 port
= 22 flags S/SA
pass in quick on egress inet proto tcp from <mngmt> to 100.64.0.3 port
= 22 flags S/SA
pass in quick on egress inet6 proto tcp from <mngmt> to fd00::2 port =
22 flags S/SA
pass in quick on egress inet6 proto tcp from <mngmt> to fd00::3 port =
22 flags S/SA
but if we use the :0 modifier: (and reload)
pass in quick on egress proto tcp from <mngmt> to egress:0 port ssh
pfctl -sr now shows only the first (non-alias) IPv4:
pass in quick on egress inet proto tcp from <mngmt> to 100.64.0.2 port
= 22 flags S/SA
Am I missing something?
Thanks,
--Kor
>Fix:
unknown.
