From nobody Wed May 8 16:57:17 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VZLvm59Yvz5JWtS for ; Wed, 08 May 2024 16:59:00 +0000 (UTC) (envelope-from dirkx@webweaving.org) Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "weser.webweaving.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VZLvl2lsXz4vkc for ; Wed, 8 May 2024 16:58:59 +0000 (UTC) (envelope-from dirkx@webweaving.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=webweaving.org header.s=shared header.b="ppboX8/S"; dmarc=pass (policy=none) header.from=webweaving.org; spf=pass (mx1.freebsd.org: domain of dirkx@webweaving.org designates 148.251.234.232 as permitted sender) smtp.mailfrom=dirkx@webweaving.org Received: from smtpclient.apple (77-63-65-3.mobile.kpn.net [77.63.65.3]) (authenticated bits=0) by weser.webweaving.org (8.17.1/8.17.1) with ESMTPA id 448GvWgU047450 for ; Wed, 8 May 2024 18:57:34 +0200 (CEST) (envelope-from dirkx@webweaving.org) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=webweaving.org; s=shared; t=1715187454; bh=dxVxjGy9wXmBbwd/osod85ftCxx1sGXKnyFG+I+M3sY=; h=From:Subject:Date:To; b=ppboX8/SfrjaW/fCBbMBW6mircG6fRFDQX5duEFptF5Y6SHGQYJOIIFrNRJv0xdVC XwAE455VNjP9P5hD+6cvLBArwwrzqzGXLucCuiHUDX5aosnDFanzKOs3ubJynN70Tu dBDPYAPd/5lXBPTADgCHf8gJIyZVnFxj0lCL7thI= X-Authentication-Warning: weser.webweaving.org: Host 77-63-65-3.mobile.kpn.net [77.63.65.3] claimed to be smtpclient.apple From: Dirk-Willem van Gulik Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\)) Subject: IPv6 and IPv4 combined rules in pf.conf Message-Id: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org> Date: Wed, 8 May 2024 18:57:17 +0200 To: FreeBSD Hackers X-Mailer: Apple Mail (2.3774.500.171.1.1) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (weser.webweaving.org [148.251.234.232]); Wed, 08 May 2024 18:57:34 +0200 (CEST) X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[webweaving.org,none]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[webweaving.org:s=shared]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:148.251.0.0/16, country:DE]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_XAW(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; DKIM_TRACE(0.00)[webweaving.org:+] X-Rspamd-Queue-Id: 4VZLvl2lsXz4vkc For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are = listening to - is there a recommended way to setup pf.conf to avoid = mistakes/duplication ? To avoid duplication in constructs such as: # Foo app servers foobarserver_host4=3D231.17.X.Y foobarserver_host6=3Dfe80::5246:=E2=80=A6 # Load balancers - direct or via tun0 in post/fail-back=20 bar_net=3DX.Y.Z.Z #=20 bar_net6=3Dfe80::5246:=E2=80=A6 #=20 =E2=80=A6 pass in on { tun0, $ext_if } proto udp from $bar_net to = $foobarserver_host4 port 2194 keep state pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to = $foobarserver_host6 port 2194 keep state Is there some recommended way of doing this in stock FreeBSD ? Or does = one usually end up with some sort of macro/generate style solution ? Dw