pf: Add prefer-ipv6-nexthop option for route-to pools
ClosedPublic
Actions

Authored by vegeta_tuxpowered.net on Jun 10 2025, 7:45 PM.

Details

Reviewers

Commits

rG65c318630123: pf: Add prefer-ipv6-nexthop option for route-to pools

Summary

Now that pf is aware of address family of each pool address and source
tracking uses distinct address family for source and redirection
adddresses it is possible to add a new pool option prefer-ipv6-nexthop
which enables routing of IPv4 packets over IPv6 next hops for rules
with the route-to option.

Add a pool option flag PF_POOL_IPV6NH, apply it to pools with a keyword
prefer-ipv6-nexthop.

Modify pf_map_addr() to handle pools with addresses of different
families. Use *naf as a hint about what address family the forwarded
packet is, then pick from the pool addresses of family that can be used
as a next hop for the forwarded packet, controlled by the PF_POOL_IPV6NH
flag. For NAT pools this flag is never set and thus pf_map_addr()
will return an IP address of the same family as the forwarded packet.
For route-to pools when the flag is enabled IPv6 addresses can be
returned or IPv4 packets.

In pf_route() check rt_af, it is not guaranteed to be AF_INET anymore
because pf_map_addr() could have changed it (as *naf).

Add tests for behaviour of pf_map_addr() both with PF_POOL_IPV6NH and
without, for single IP addresses, prefixes and subnets.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Jun 10 2025, 7:45 PM

Herald added subscribers: glebius, melifaro, farrokhi and 2 others. · View Herald TranscriptJun 10 2025, 7:45 PM

vegeta_tuxpowered.net requested review of this revision.Jun 10 2025, 7:45 PM

I'm going to need to take a deeper look later (probably when I'm back home from BSDCan). First impressions are that the implementation is probably good, but I really dislike the 'RFC5549' naming of the flag and variables. Unfortunately I don't immediately have a better suggestion.

In D50781#1159156, @kp wrote:

really dislike the 'RFC5549' naming of the flag and variables. Unfortunately I don't immediately have a better suggestion.

How about:

prefer-ipv6-nexthop
prefer-ipv6-nh
ipv6-nexthop
ipv6-nh

The term "next hop" is often preferred over "gateway", at least by networking people, and is already used in man pf.conf. The option with the word "prefer" hints that the IPv6 next hop is preferred, not enforced, because the code will first try to get an IPv6 address from the pool, but if that's impossible it will try IPv4, at least for IPv4 packets. Options with "nh" instead of "nexthop" make the option shorter, for those of us who want their rules to fit in 80 columns ;)

In D50781#1167661, @vegeta_tuxpowered.net wrote:

In D50781#1159156, @kp wrote:

really dislike the 'RFC5549' naming of the flag and variables. Unfortunately I don't immediately have a better suggestion.

How about:

prefer-ipv6-nexthop

prefer-ipv6-nh

ipv6-nexthop

ipv6-nh

The term "next hop" is often preferred over "gateway", at least by networking people, and is already used in man pf.conf. The option with the word "prefer" hints that the IPv6 next hop is preferred, not enforced, because the code will first try to get an IPv6 address from the pool, but if that's impossible it will try IPv4, at least for IPv4 packets. Options with "nh" instead of "nexthop" make the option shorter, for those of us who want their rules to fit in 80 columns ;)

Yeah, "ipv6-nexthop" seems pretty good.

Couple small remarks (I do still owe you a deeper look, probably sometime next week during the hackathon):

we need to add something to the man page about this. In the man page we should reference the RFC.
there are a couple of small cleanup changes that would be better as part of a separate commit. Things like introducing struct pfctl_pooladdr, and changing 'af' from int to sa_family_t. That makes reviewing this patch easier (because smaller), and the small cleanup patches are trivially obviously correct.

I don't have strong views on the use of rfc5549 in the test names. It's fine there, but if you prefer to use ipv6_nexthop or something that's fine too.

vegeta_tuxpowered.net mentioned this in D51659: pf: Use different address family for source and redirection address.Aug 1 2025, 9:08 AM

vegeta_tuxpowered.net updated this revision to Diff 160063.Fri, Aug 8, 3:35 PM

vegeta_tuxpowered.net retitled this revision from WIP: pf: Add RFC5549 support for route-to to pf: Add RFC5549 support for route-to.

vegeta_tuxpowered.net edited the summary of this revision. (Show Details)

Herald added a subscriber: ziaee. · View Herald TranscriptFri, Aug 8, 3:35 PM

vegeta_tuxpowered.net retitled this revision from pf: Add RFC5549 support for route-to to pf: Add prefer-ipv6-nexthop option for route-to pools.Fri, Aug 8, 3:36 PM

A quick pfctl test case for the parser changes (i.e. just a simple prefer-ipv6-nexthop route-to line) would be nice to have too.

I think this is good, I wanted to run it through the tests just in case but (a) I'm pretty confident you already did and (b) with the recent libutil and kerberos changes it's a bit annoying until we get a package rebuild.