Date: Sun, 28 Oct 2018 05:32:50 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r339835 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf Message-ID: <201810280532.w9S5WoV4010440@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Sun Oct 28 05:32:50 2018 New Revision: 339835 URL: https://svnweb.freebsd.org/changeset/base/339835 Log: pf: Make ':0' ignore link-local v6 addresses too When users mark an interface to not use aliases they likely also don't want to use the link-local v6 address there. PR: 201695 Submitted by: Russell Yount <Russell.Yount AT gmail.com> Differential Revision: https://reviews.freebsd.org/D17633 Modified: head/sbin/pfctl/pfctl_parser.c head/share/man/man5/pf.conf.5 head/sys/netpfil/pf/pf_if.c Modified: head/sbin/pfctl/pfctl_parser.c ============================================================================== --- head/sbin/pfctl/pfctl_parser.c Sun Oct 28 03:02:09 2018 (r339834) +++ head/sbin/pfctl/pfctl_parser.c Sun Oct 28 05:32:50 2018 (r339835) @@ -1366,6 +1366,9 @@ ifa_lookup(const char *ifa_name, int flags) last_if = p->ifname; if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET && got4) continue; + if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET6 && + IN6_IS_ADDR_LINKLOCAL(&p->addr.v.a.addr.v6)) + continue; if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET6 && got6) continue; if (p->af == AF_INET) Modified: head/share/man/man5/pf.conf.5 ============================================================================== --- head/share/man/man5/pf.conf.5 Sun Oct 28 03:02:09 2018 (r339834) +++ head/share/man/man5/pf.conf.5 Sun Oct 28 05:32:50 2018 (r339835) @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd October 6, 2016 +.Dd October 27, 2018 .Dt PF.CONF 5 .Os .Sh NAME @@ -1511,7 +1511,7 @@ Do not include interface aliases. Host names may also have the .Ar :0 option appended to restrict the name resolution to the first of each -v4 and v6 address found. +v4 and non-link-local v6 address found. .Pp Host name resolution and interface to address translation are done at ruleset load-time. Modified: head/sys/netpfil/pf/pf_if.c ============================================================================== --- head/sys/netpfil/pf/pf_if.c Sun Oct 28 03:02:09 2018 (r339834) +++ head/sys/netpfil/pf/pf_if.c Sun Oct 28 05:32:50 2018 (r339835) @@ -553,7 +553,8 @@ pfi_instance_add(struct ifnet *ifp, int net, int flags if ((flags & PFI_AFLAG_PEER) && !(ifp->if_flags & IFF_POINTOPOINT)) continue; - if ((flags & PFI_AFLAG_NETWORK) && af == AF_INET6 && + if ((flags & (PFI_AFLAG_NETWORK | PFI_AFLAG_NOALIAS)) && + af == AF_INET6 && IN6_IS_ADDR_LINKLOCAL( &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr)) continue;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201810280532.w9S5WoV4010440>