201695 – [PATCH] pf.conf syntax (interface:0) incorrectly results in IPv6 link-local address

Bug 201695 - [PATCH] pf.conf syntax (interface:0) incorrectly results in IPv6 link-local address

Summary: [PATCH] pf.conf syntax (interface:0) incorrectly results in IPv6 link-local a...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.1-RELEASE
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-pf (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2015-07-19 19:59 UTC by Russell.Yount
Modified:	2019-03-09 10:34 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Russell.Yount 2015-07-19 19:59:55 UTC

The pf.conf syntax '(interface:0)' incorrectly results in IPv6 link-local address rather than route-able IPv6 address. Patch included at end of this description. 

PF.CONF(5) should also be updated. It states:

Host names may also have the :0 option appended to restrict the
name resolution to the first of each v4 and v6 address found.

Should be:

Host names may also have the :0 option appended to restrict the
name resolution to the first of each v4 and non-link-local v6 address found.

Patch:

--- usr/src/sys/netpfil/pf/pf_if.c.orig 2015-07-19 12:46:23.000000000 -0500
+++ usr/src/sys/netpfil/pf/pf_if.c      2015-07-19 12:49:01.000000000 -0500
@@ -522,7 +522,7 @@
                if ((flags & PFI_AFLAG_PEER) &&
                    !(ifp->if_flags & IFF_POINTOPOINT))
                        continue;
-               if ((flags & PFI_AFLAG_NETWORK) && af == AF_INET6 &&
+               if ((flags & (PFI_AFLAG_NETWORK|PFI_AFLAG_NOALIAS)) && af == AF_INET6 &&
                    IN6_IS_ADDR_LINKLOCAL(
                    &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr))
                        continue;

Comment 1 Kristof Provost freebsd_committer

2018-10-21 00:39:27 UTC

Reviews:
https://reviews.freebsd.org/D17633
https://reviews.freebsd.org/D17634

I think this makes sense, but it's a behaviour change, so I'd like to think about this a bit more before I commit it.

Comment 2 commit-hook freebsd_committer

2018-10-28 05:33:46 UTC

A commit references this bug:

Author: kp
Date: Sun Oct 28 05:32:51 UTC 2018
New revision: 339835
URL: https://svnweb.freebsd.org/changeset/base/339835

Log:
  pf: Make ':0' ignore link-local v6 addresses too

  When users mark an interface to not use aliases they likely also don't
  want to use the link-local v6 address there.

  PR:		201695
  Submitted by:	Russell Yount <Russell.Yount AT gmail.com>
  Differential Revision:	https://reviews.freebsd.org/D17633

Changes:
  head/sbin/pfctl/pfctl_parser.c
  head/share/man/man5/pf.conf.5
  head/sys/netpfil/pf/pf_if.c

Comment 3 commit-hook freebsd_committer

2018-10-28 05:37:51 UTC

A commit references this bug:

Author: kp
Date: Sun Oct 28 05:37:15 UTC 2018
New revision: 339836
URL: https://svnweb.freebsd.org/changeset/base/339836

Log:
  pf tests: Test ':0' ignoring link-local addresses

  PR:		201695

Changes:
  head/tests/sys/netpfil/pf/pass_block.sh

Comment 4 commit-hook freebsd_committer

2019-03-09 10:34:15 UTC

A commit references this bug:

Author: kp
Date: Sat Mar  9 10:33:47 UTC 2019
New revision: 344965
URL: https://svnweb.freebsd.org/changeset/base/344965

Log:
  MFC r339836, r340286, r341358:

  pf tests: Test ':0' ignoring link-local addresses

  Fix test: sys.netpfil.pf.pass_block.noalias

  Replace hard-coded epair0b with the variable holds the real epair interface
  used for testing.

  pf tests: Make pass_block:noalias more robust

  Send several ICMPv6 echo requests. We've seen occasional failures with a
  single request.

  PR:		201695

Changes:
_U  stable/12/
  stable/12/tests/sys/netpfil/pf/pass_block.sh