From nobody Wed May 8 21:19:59 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VZSkq67Lyz5KDZT for ; Wed, 08 May 2024 21:21:39 +0000 (UTC) (envelope-from dirkx@webweaving.org) Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "weser.webweaving.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VZSkp5Nflz4T5J for ; Wed, 8 May 2024 21:21:37 +0000 (UTC) (envelope-from dirkx@webweaving.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=webweaving.org header.s=shared header.b=V8D12mPx; dmarc=pass (policy=none) header.from=webweaving.org; spf=pass (mx1.freebsd.org: domain of dirkx@webweaving.org designates 148.251.234.232 as permitted sender) smtp.mailfrom=dirkx@webweaving.org Received: from smtpclient.apple (77-63-64-246.mobile.kpn.net [77.63.64.246]) (authenticated bits=0) by weser.webweaving.org (8.17.1/8.17.1) with ESMTPA id 448LKEgQ003485; Wed, 8 May 2024 23:20:17 +0200 (CEST) (envelope-from dirkx@webweaving.org) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=webweaving.org; s=shared; t=1715203219; bh=FJTAQnn329muIHbkLe+rSd9eRNneCEDyWU2CqYW7gYE=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=V8D12mPx/QuQ9qxCZ8lSHKcDlFUEgzqHeKpt05+0M5PRA9XHCDCQXPvN9/sqqtUlw k5LRPrJ0S4zxeKG+PrYHglJrsDmTk8F2OyOOvbhvnOvrdhWFd3Kz7enEpXkUdI50Sk Zza2JbfO46USJ8CbWQO6U+fBDMx7kVqySe9aW7NY= X-Authentication-Warning: weser.webweaving.org: Host 77-63-64-246.mobile.kpn.net [77.63.64.246] claimed to be smtpclient.apple From: Dirk-Willem van Gulik Message-Id: <5258A000-3483-467F-8FE9-B3F986D62BB3@webweaving.org> Content-Type: multipart/alternative; boundary="Apple-Mail=_E7A94B88-4767-4051-AD41-387F9DEDB4CA" List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\)) Subject: Re: IPv6 and IPv4 combined rules in pf.conf Date: Wed, 8 May 2024 23:19:59 +0200 In-Reply-To: <6005DECF-10AA-487F-8F95-317B4227E988@webweaving.org> Cc: FreeBSD Hackers To: Lexi Winter References: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org> <6005DECF-10AA-487F-8F95-317B4227E988@webweaving.org> X-Mailer: Apple Mail (2.3774.500.171.1.1) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (weser.webweaving.org [148.251.234.232]); Wed, 08 May 2024 23:20:19 +0200 (CEST) X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.40 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[webweaving.org,none]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[webweaving.org:s=shared]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ONCE_RECEIVED(0.10)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:24940, ipnet:148.251.0.0/16, country:DE]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; RCPT_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; HAS_XAW(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[webweaving.org:+] X-Rspamd-Queue-Id: 4VZSkp5Nflz4T5J --Apple-Mail=_E7A94B88-4767-4051-AD41-387F9DEDB4CA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 8 May 2024, at 22:41, Dirk-Willem van Gulik = wrote: >=20 >> On 8 May 2024, at 22:14, Lexi Winter wrote: >>=20 >> Dirk-Willem van Gulik: >>> For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are >>> listening to - is there a recommended way to setup pf.conf to avoid >>> mistakes/duplication ? >>=20 >>> To avoid duplication in constructs such as: >>=20 >>> # Foo app servers >>> foobarserver_host4=3D231.17.X.Y >>> foobarserver_host6=3Dfe80::5246:=E2=80=A6 >>>=20 >>> # Load balancers - direct or via tun0 in post/fail-back=20 >>> bar_net=3DX.Y.Z.Z #=20 >>> bar_net6=3Dfe80::5246:=E2=80=A6 #=20 >>> =E2=80=A6 >>>=20 >>> pass in on { tun0, $ext_if } proto udp from $bar_net to = $foobarserver_host4 port 2194 keep state >>> pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to = $foobarserver_host6 port 2194 keep state >>=20 >>> Is there some recommended way of doing this in stock FreeBSD ? Or = does >>> one usually end up with some sort of macro/generate style solution ? >>=20 >> i would suggest something like this: >>=20 >> table { >> 231.17.X.Y >> fe80::5246:... >> } >>=20 >> table { >> ... >> } >>=20 >> pass on { tun0, $ext_if } proto udp from \ >> to port 2194 >=20 > Ok - excellent - =C8=99o one can mix IPv4 and IPv6 in a list - and = =E2=80=98udp=E2=80=99 no longer needs to be =E2=80=98udp6=E2=80=99 (and = same for tcp6 and icmp6 v.s. tcp/icmp_=E2=80=94 pf guesses this right = based on the address ? Ignore - that works perfectly - with inet/inet6 thrown in where I need = to make the distinction. Thanks ! Dw. --Apple-Mail=_E7A94B88-4767-4051-AD41-387F9DEDB4CA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On 8 May 2024, = at 22:41, Dirk-Willem van Gulik <dirkx@webweaving.org> = wrote:

On 8 May = 2024, at 22:14, Lexi Winter <lexi@le-fay.org> wrote:

Dirk-Willem van Gulik:
For dual stack hosts; with both an IPv4 and IPv6 CIDR that they = are
listening to - is there a recommended way to setup pf.conf to = avoid
mistakes/duplication ?

To avoid duplication in constructs such as:

# Foo app = servers
= foobarserver_host4=3D231.17.X.Y
= foobarserver_host6=3Dfe80::5246:=E2=80=A6

# Load = balancers  - direct or via tun0 in post/fail-back 
= bar_net=3DX.Y.Z.Z # 
= bar_net6=3Dfe80::5246:=E2=80=A6 # 
= =E2=80=A6

pass in on { tun0, $ext_if } =  proto udp from $bar_net  to $foobarserver_host4 port 2194 = keep state
pass in on { tun0, $ext_if }  proto udp6 from = bar_net6 $var to $foobarserver_host6 port 2194 keep = state

Is there some recommended way of doing this in stock FreeBSD ? Or = does
one usually end up with some sort of macro/generate style = solution ?

i would = suggest something like this:

= table = <foobarserver> {
= 231.17.X.Y
fe80::5246:...
= }

table <bar-net> = {
...
= }

pass on { tun0, $ext_if = } proto udp from <bar-net> \
= to <foobarserver> = port 2194

Ok - excellent - =C8=99o one = can mix IPv4 and IPv6 in a list - and =E2=80=98udp=E2=80=99 no longer = needs to be =E2=80=98udp6=E2=80=99 (and same for tcp6 and icmp6 v.s. = tcp/icmp_=E2=80=94 pf guesses this right based on the address = ?

Ignore - that works perfectly - = with inet/inet6 thrown in where I need to make the = distinction.

Thanks = !

Dw.

= --Apple-Mail=_E7A94B88-4767-4051-AD41-387F9DEDB4CA--