git: 899e79760dcc - main - pfctl: allow an implicit address family for af-to rules

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 24 Jan 2025 10:25:02 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=899e79760dcce8c9358caf2e2bddfe1ba3ad6dee

commit 899e79760dcce8c9358caf2e2bddfe1ba3ad6dee
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-01-23 08:46:06 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-01-24 10:20:30 +0000

    pfctl: allow an implicit address family for af-to rules
    
    If the address family can be determined by the "from" or "to" parameter in the
    matching part, it is no longer necessary to specify "inet" or "inet6" there.
    OK henning@ mikeb@
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, ff33038bc1
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y                   | 17 +++++------------
 sbin/pfctl/tests/files/pf1025.in     |  1 +
 sbin/pfctl/tests/files/pf1025.ok     |  1 +
 sbin/pfctl/tests/pfctl_test_list.inc |  1 +
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index e66d3cdd295e..ab74d2dd57ab 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -2422,19 +2422,8 @@ pfrule		: action dir logquick interface route af proto fromto
 				r.scrub_flags |= PFSTATE_SETPRIO;
 			}
 
-			if ($9.marker & FOM_AFTO) {
-				if (!$6) {
-					yyerror("must indicate source address "
-					    "family with af-to");
-					YYERROR;
-				}
-				if ($6 == $9.nat.af) {
-					yyerror("incorrect address family "
-					    "translation");
-					YYERROR;
-				}
+			if ($9.marker & FOM_AFTO)
 				r.rule_flag |= PFRULE_AFTO;
-			}
 
 			r.af = $6;
 			if ($9.tag)
@@ -5465,6 +5454,10 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
 		yyerror("must indicate address family with icmp-type/code");
 		problems++;
 	}
+	if (r->rule_flag & PFRULE_AFTO && r->af == r->naf) {
+		yyerror("must indicate different address family with af-to");
+		problems++;
+	}
 	if (r->overload_tblname[0] &&
 	    r->max_src_conn == 0 && r->max_src_conn_rate.seconds == 0) {
 		yyerror("'overload' requires 'max-src-conn' "
diff --git a/sbin/pfctl/tests/files/pf1025.in b/sbin/pfctl/tests/files/pf1025.in
new file mode 100644
index 000000000000..d4ad821a6899
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1025.in
@@ -0,0 +1 @@
+pass in from 10.0.0.0/8 af-to inet6 from 2001:db8::1
diff --git a/sbin/pfctl/tests/files/pf1025.ok b/sbin/pfctl/tests/files/pf1025.ok
new file mode 100644
index 000000000000..8f48c987c6a0
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1025.ok
@@ -0,0 +1 @@
+pass in inet from 10.0.0.0/8 to any flags S/SA keep state af-to inet6 from 2001:db8::1
diff --git a/sbin/pfctl/tests/pfctl_test_list.inc b/sbin/pfctl/tests/pfctl_test_list.inc
index 62bb87e680d8..0a523386c16c 100644
--- a/sbin/pfctl/tests/pfctl_test_list.inc
+++ b/sbin/pfctl/tests/pfctl_test_list.inc
@@ -133,3 +133,4 @@ PFCTL_TEST(1021, "Endpoint-independent")
 PFCTL_TEST(1022, "Test received-on")
 PFCTL_TEST(1023, "Test match log(matches)")
 PFCTL_TEST(1024, "nat64")
+PFCTL_TEST(1025, "nat64 with implicit address family")