Hello, If I remember correct it's been pointed out in 2020. Unfortunately I'm not able to find details.
the diff was not accepted because we could not find a good way to establish concept of primary address (:0) and alias addresses in IPv6. It sort of works for IPv4 but in case of IPv6 there is some friction. I think currently the :0 is assigned to the first IP address assigned to interface (hence primary) In case of IPv6 the :0 is always a link-local address. We keep this feature because it 'sort of' works for IPv4. It's not applicable for IPv6. so as you say pf.conf(5) should be updated. regards sashan On Wed, Jan 17, 2024 at 05:09:10PM -0300, K R wrote: > >Synopsis: pf.conf: modifier :0 doesn't work for IPv6 addresses > >Category: system amd64 > >Environment: > System : OpenBSD 7.4 > Details : OpenBSD 7.4 (GENERIC) #2: Fri Dec 8 15:38:40 MST 2023 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > > The pf.conf manpage states: > > Interface names, interface group names, and self can have > modifiers appended: > > :0 Do not include interface aliases. > > It appears the :0 modifier only works for IPv4 addresses. If this is > by design, it should be mentioned in the pf.conf manpage. > > >How-To-Repeat: > > vm# cat /etc/hostname.vio0 > inet 100.64.0.2/24 > inet alias 100.64.0.3/24 > inet6 fd00::2/64 > inet6 alias fd00::3/64 > > vm# ifconfig vio0 | grep inet > inet 100.64.0.2 netmask 0xffffff00 broadcast 100.64.0.255 > inet 100.64.0.3 netmask 0xffffff00 broadcast 100.64.0.255 > inet6 fe80::fce1:bbff:fed1:1d84%vio0 prefixlen 64 scopeid 0x1 > inet6 fd00::2 prefixlen 64 > inet6 fd00::3 prefixlen 64 > > pf.conf rule: > > # pass in SSH from mngmt hosts > pass in quick on egress proto tcp from <mngmt> to egress port ssh > > as expected, pfctl -sr shows: > > pass in quick on egress inet proto tcp from <mngmt> to 100.64.0.2 port > = 22 flags S/SA > pass in quick on egress inet proto tcp from <mngmt> to 100.64.0.3 port > = 22 flags S/SA > pass in quick on egress inet6 proto tcp from <mngmt> to fd00::2 port = > 22 flags S/SA > pass in quick on egress inet6 proto tcp from <mngmt> to fd00::3 port = > 22 flags S/SA > > but if we use the :0 modifier: (and reload) > > pass in quick on egress proto tcp from <mngmt> to egress:0 port ssh > > pfctl -sr now shows only the first (non-alias) IPv4: > > pass in quick on egress inet proto tcp from <mngmt> to 100.64.0.2 port > = 22 flags S/SA > > Am I missing something? > > Thanks, > --Kor > > >Fix: > unknown. >
