aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2025-01-23 08:46:06 +0000
committerKristof Provost <kp@FreeBSD.org>2025-01-24 10:20:30 +0000
commit899e79760dcce8c9358caf2e2bddfe1ba3ad6dee (patch)
treeb99d6461e129c8985aab78c60766fe1856815a3e
parentaf33f86e6aef6b15c8aa3da615167272aa7a3ee3 (diff)
pfctl: allow an implicit address family for af-to rules
If the address family can be determined by the "from" or "to" parameter in the matching part, it is no longer necessary to specify "inet" or "inet6" there. OK henning@ mikeb@ Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, ff33038bc1 Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r--sbin/pfctl/parse.y17
-rw-r--r--sbin/pfctl/tests/files/pf1025.in1
-rw-r--r--sbin/pfctl/tests/files/pf1025.ok1
-rw-r--r--sbin/pfctl/tests/pfctl_test_list.inc1
4 files changed, 8 insertions, 12 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index e66d3cdd295e..ab74d2dd57ab 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -2422,19 +2422,8 @@ pfrule : action dir logquick interface route af proto fromto
r.scrub_flags |= PFSTATE_SETPRIO;
}
- if ($9.marker & FOM_AFTO) {
- if (!$6) {
- yyerror("must indicate source address "
- "family with af-to");
- YYERROR;
- }
- if ($6 == $9.nat.af) {
- yyerror("incorrect address family "
- "translation");
- YYERROR;
- }
+ if ($9.marker & FOM_AFTO)
r.rule_flag |= PFRULE_AFTO;
- }
r.af = $6;
if ($9.tag)
@@ -5465,6 +5454,10 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
yyerror("must indicate address family with icmp-type/code");
problems++;
}
+ if (r->rule_flag & PFRULE_AFTO && r->af == r->naf) {
+ yyerror("must indicate different address family with af-to");
+ problems++;
+ }
if (r->overload_tblname[0] &&
r->max_src_conn == 0 && r->max_src_conn_rate.seconds == 0) {
yyerror("'overload' requires 'max-src-conn' "
diff --git a/sbin/pfctl/tests/files/pf1025.in b/sbin/pfctl/tests/files/pf1025.in
new file mode 100644
index 000000000000..d4ad821a6899
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1025.in
@@ -0,0 +1 @@
+pass in from 10.0.0.0/8 af-to inet6 from 2001:db8::1
diff --git a/sbin/pfctl/tests/files/pf1025.ok b/sbin/pfctl/tests/files/pf1025.ok
new file mode 100644
index 000000000000..8f48c987c6a0
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1025.ok
@@ -0,0 +1 @@
+pass in inet from 10.0.0.0/8 to any flags S/SA keep state af-to inet6 from 2001:db8::1
diff --git a/sbin/pfctl/tests/pfctl_test_list.inc b/sbin/pfctl/tests/pfctl_test_list.inc
index 62bb87e680d8..0a523386c16c 100644
--- a/sbin/pfctl/tests/pfctl_test_list.inc
+++ b/sbin/pfctl/tests/pfctl_test_list.inc
@@ -133,3 +133,4 @@ PFCTL_TEST(1021, "Endpoint-independent")
PFCTL_TEST(1022, "Test received-on")
PFCTL_TEST(1023, "Test match log(matches)")
PFCTL_TEST(1024, "nat64")
+PFCTL_TEST(1025, "nat64 with implicit address family")