From nobody Wed May 8 20:41:56 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VZRtp6ctdz5K9FJ for ; Wed, 08 May 2024 20:43:30 +0000 (UTC) (envelope-from dirkx@webweaving.org) Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "weser.webweaving.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VZRtp3DkPz4NR0 for ; Wed, 8 May 2024 20:43:30 +0000 (UTC) (envelope-from dirkx@webweaving.org) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple (77-63-64-246.mobile.kpn.net [77.63.64.246]) (authenticated bits=0) by weser.webweaving.org (8.17.1/8.17.1) with ESMTPA id 448Kg7l0073388; Wed, 8 May 2024 22:42:10 +0200 (CEST) (envelope-from dirkx@webweaving.org) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=webweaving.org; s=shared; t=1715200932; bh=px90PB/14+0miOwSVMd8BGePrI2RA0PdaCKyzuydXnY=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=QT1GuFoG08fQx5T769y5TKNwHYXkNF4zDHs1VdHDMUn44AeLaGhxRL9c4RvSgvHKB vIY89JVnX2KeJ+/gcFqLtt7Uo3QRP/d/7xXoMN7Rpoid2TF0j0mSoXRj50jTo3ovZq CmyJJ+zSeVEHr2olX/KKvBqhytrmEHRBSxBP1dys= X-Authentication-Warning: weser.webweaving.org: Host 77-63-64-246.mobile.kpn.net [77.63.64.246] claimed to be smtpclient.apple From: Dirk-Willem van Gulik Message-Id: <6005DECF-10AA-487F-8F95-317B4227E988@webweaving.org> Content-Type: multipart/alternative; boundary="Apple-Mail=_B1997D92-CFD5-4B7E-81E5-34C3BDBD8C03" List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\)) Subject: Re: IPv6 and IPv4 combined rules in pf.conf Date: Wed, 8 May 2024 22:41:56 +0200 In-Reply-To: Cc: FreeBSD Hackers To: Lexi Winter References: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org> X-Mailer: Apple Mail (2.3774.500.171.1.1) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (weser.webweaving.org [148.251.234.232]); Wed, 08 May 2024 22:42:12 +0200 (CEST) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:148.251.0.0/16, country:DE] X-Rspamd-Queue-Id: 4VZRtp3DkPz4NR0 --Apple-Mail=_B1997D92-CFD5-4B7E-81E5-34C3BDBD8C03 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 8 May 2024, at 22:14, Lexi Winter wrote: >=20 > Dirk-Willem van Gulik: >> For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are >> listening to - is there a recommended way to setup pf.conf to avoid >> mistakes/duplication ? >=20 >> To avoid duplication in constructs such as: >=20 >> # Foo app servers >> foobarserver_host4=3D231.17.X.Y >> foobarserver_host6=3Dfe80::5246:=E2=80=A6 >>=20 >> # Load balancers - direct or via tun0 in post/fail-back=20 >> bar_net=3DX.Y.Z.Z #=20 >> bar_net6=3Dfe80::5246:=E2=80=A6 #=20 >> =E2=80=A6 >>=20 >> pass in on { tun0, $ext_if } proto udp from $bar_net to = $foobarserver_host4 port 2194 keep state >> pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to = $foobarserver_host6 port 2194 keep state >=20 >> Is there some recommended way of doing this in stock FreeBSD ? Or = does >> one usually end up with some sort of macro/generate style solution ? >=20 > i would suggest something like this: >=20 > table { > 231.17.X.Y > fe80::5246:... > } >=20 > table { > ... > } >=20 > pass on { tun0, $ext_if } proto udp from \ > to port 2194 Ok - excellent - =C8=99o one can mix IPv4 and IPv6 in a list - and = =E2=80=98udp=E2=80=99 no longer needs to be =E2=80=98udp6=E2=80=99 (and = same for tcp6 and icmp6 v.s. tcp/icmp_=E2=80=94 pf guesses this right = based on the address ? > note that in either case pf doesn't need 'keep state=E2=80=99. Sorry :) cut and paste of a actual TCP rule edited to protect the = innocent. Dw --Apple-Mail=_B1997D92-CFD5-4B7E-81E5-34C3BDBD8C03 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 8 May 2024, at 22:14, Lexi Winter = <lexi@le-fay.org> wrote:

Dirk-Willem van Gulik:
For dual stack hosts; with both an IPv4 and IPv6 CIDR that they = are
listening to - is there a recommended way to setup pf.conf to = avoid
mistakes/duplication ?

To avoid duplication in constructs such = as:

# Foo app servers
= foobarserver_host4=3D231.17.X.Y
= foobarserver_host6=3Dfe80::5246:=E2=80=A6

# Load = balancers  - direct or via tun0 in post/fail-back 
= bar_net=3DX.Y.Z.Z # 
= bar_net6=3Dfe80::5246:=E2=80=A6 # 
= =E2=80=A6

pass in on { tun0, $ext_if } =  proto udp from $bar_net  to $foobarserver_host4 port 2194 = keep state
pass in on { tun0, $ext_if }  proto udp6 from = bar_net6 $var to $foobarserver_host6 port 2194 keep = state

Is there some recommended way of doing this in = stock FreeBSD ? Or does
one usually end up with some sort of = macro/generate style solution ?

i would = suggest something like this:

= table = <foobarserver> {
= 231.17.X.Y
fe80::5246:...
= }

table <bar-net> = {
...
= }

pass on { tun0, $ext_if = } proto udp from <bar-net> \
= to <foobarserver> = port 2194

Ok - excellent - =C8=99o one = can mix IPv4 and IPv6 in a list - and =E2=80=98udp=E2=80=99 no longer = needs to be =E2=80=98udp6=E2=80=99 (and same for tcp6 and icmp6 v.s. = tcp/icmp_=E2=80=94 pf guesses this right based on the address = ?

note that in = either case pf doesn't need 'keep = state=E2=80=99.

Sorry :) cut and paste = of a actual TCP rule edited to protect the = innocent.

Dw


=


= --Apple-Mail=_B1997D92-CFD5-4B7E-81E5-34C3BDBD8C03--