From nobody Fri Jan 24 10:25:02 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YfYpl3h7Sz5lC1x;
	Fri, 24 Jan 2025 10:25:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YfYpl1Th2z3t6h;
	Fri, 24 Jan 2025 10:25:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1737714303;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ZJzBc7MWNUJhntcMos63TqZ7nNnBcgFa4QAJJGJG5h8=;
	b=dQXeQcRZOAmeaBulgSBLIQvJWiH+xskLFxwERfDiQWsgLEmkFuXrSulWx0Uy1LVt2oO7mE
	AbBXJzFcgFCX+7KZBDziPvM5V29cWM4eilKiNDcbxQWJr228KOBAtXmXMVXJavOBv3AjFx
	OwZqqmeAG9si5mdjogGgya6/zB6kX+cF0a/gP/6O0XDfW1fOL3UUIjD7IwMqucRV+x5Sx9
	tOZ4cLBQky/xnMPXTx1qKNqIJ6DsuE62bmpkFVgA8GMCCgDHzQZIXJwa9V6MzCprfkTzEp
	5P8gKFrzVtkqmSebGnVI60a1Z1mSkpWF9DxsHZkuIX8A50uOaqicDLgWg6W44w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1737714303;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ZJzBc7MWNUJhntcMos63TqZ7nNnBcgFa4QAJJGJG5h8=;
	b=qEyE/45OYqwRHnF86K8QO9VHsFkpY7xP4h9v+2LMGi6/VIHJ3ogmbS0eVSRun+fVv5ZBjS
	6RqcMKNGse3xrEAwIFhd/2nnMArgGXyUX7pKpROuLD91PVJRWwiB0Dp7A7ip1XVOShxzlL
	8Sj8WmOmpqijZYaLt20XMd2sF9MxOV16iSWrlQJchVyD+51Q+o/zQVYdhDHk54t9+RAr/f
	hmadfXsjbh9wsc3E+3NJUPOKnK9UzcPxAQfiQfHT+VtYpmAov+eKXWS7VjF7+rzgOiNajn
	Iawy/vOBqk+xMEieeOggoiuoN5Jyh4qmCDEz1Blc2zEIsCyTjdR6SBYX4hSuTQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737714303; a=rsa-sha256; cv=none;
	b=pI0xy6EiUsT1EUiNmS7OfJSlt1Ap8j3O2JTFvkiVjrLQXSOlUmIKQwv1G6+21do63rg3Lx
	J+7IqDdCHj3L/3AxKN3pT4XwgL/YQF/NqlzSita0AO3JBYk97Y8liFnFfo9FWSrAEM+KAb
	GEuLtCRgzF78E/ypQeRt9qv2GgOUz9n/gNttVFvXBMDy5rbw+0gOwyJTgCMl6HupapQ4rC
	wsicNqzUmASr1CLTwrpNNuV6MVKPtrTZo5dxUcjVEVPeZBCI/LcI8phgV2PQfvxKP25hva
	xeK3em7T7SYTea8sMei4XWO7NdpPI6QJknqOYm/hH74qOYJgQjtja8nLO2X4vA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YfYpk6hKlz5WN;
	Fri, 24 Jan 2025 10:25:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50OAP2lX038430;
	Fri, 24 Jan 2025 10:25:02 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50OAP2FP038427;
	Fri, 24 Jan 2025 10:25:02 GMT
	(envelope-from git)
Date: Fri, 24 Jan 2025 10:25:02 GMT
Message-Id: <202501241025.50OAP2FP038427@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 899e79760dcc - main - pfctl: allow an implicit address
  family for af-to rules
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 899e79760dcce8c9358caf2e2bddfe1ba3ad6dee
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=899e79760dcce8c9358caf2e2bddfe1ba3ad6dee

commit 899e79760dcce8c9358caf2e2bddfe1ba3ad6dee
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-01-23 08:46:06 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-01-24 10:20:30 +0000

    pfctl: allow an implicit address family for af-to rules
    
    If the address family can be determined by the "from" or "to" parameter in the
    matching part, it is no longer necessary to specify "inet" or "inet6" there.
    OK henning@ mikeb@
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, ff33038bc1
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y                   | 17 +++++------------
 sbin/pfctl/tests/files/pf1025.in     |  1 +
 sbin/pfctl/tests/files/pf1025.ok     |  1 +
 sbin/pfctl/tests/pfctl_test_list.inc |  1 +
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index e66d3cdd295e..ab74d2dd57ab 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -2422,19 +2422,8 @@ pfrule		: action dir logquick interface route af proto fromto
 				r.scrub_flags |= PFSTATE_SETPRIO;
 			}
 
-			if ($9.marker & FOM_AFTO) {
-				if (!$6) {
-					yyerror("must indicate source address "
-					    "family with af-to");
-					YYERROR;
-				}
-				if ($6 == $9.nat.af) {
-					yyerror("incorrect address family "
-					    "translation");
-					YYERROR;
-				}
+			if ($9.marker & FOM_AFTO)
 				r.rule_flag |= PFRULE_AFTO;
-			}
 
 			r.af = $6;
 			if ($9.tag)
@@ -5465,6 +5454,10 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
 		yyerror("must indicate address family with icmp-type/code");
 		problems++;
 	}
+	if (r->rule_flag & PFRULE_AFTO && r->af == r->naf) {
+		yyerror("must indicate different address family with af-to");
+		problems++;
+	}
 	if (r->overload_tblname[0] &&
 	    r->max_src_conn == 0 && r->max_src_conn_rate.seconds == 0) {
 		yyerror("'overload' requires 'max-src-conn' "
diff --git a/sbin/pfctl/tests/files/pf1025.in b/sbin/pfctl/tests/files/pf1025.in
new file mode 100644
index 000000000000..d4ad821a6899
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1025.in
@@ -0,0 +1 @@
+pass in from 10.0.0.0/8 af-to inet6 from 2001:db8::1
diff --git a/sbin/pfctl/tests/files/pf1025.ok b/sbin/pfctl/tests/files/pf1025.ok
new file mode 100644
index 000000000000..8f48c987c6a0
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1025.ok
@@ -0,0 +1 @@
+pass in inet from 10.0.0.0/8 to any flags S/SA keep state af-to inet6 from 2001:db8::1
diff --git a/sbin/pfctl/tests/pfctl_test_list.inc b/sbin/pfctl/tests/pfctl_test_list.inc
index 62bb87e680d8..0a523386c16c 100644
--- a/sbin/pfctl/tests/pfctl_test_list.inc
+++ b/sbin/pfctl/tests/pfctl_test_list.inc
@@ -133,3 +133,4 @@ PFCTL_TEST(1021, "Endpoint-independent")
 PFCTL_TEST(1022, "Test received-on")
 PFCTL_TEST(1023, "Test match log(matches)")
 PFCTL_TEST(1024, "nat64")
+PFCTL_TEST(1025, "nat64 with implicit address family")