From 99eb00558a73186924b3dce77c96687bb0cb6b48 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Sun, 28 Oct 2018 05:32:50 +0000 Subject: [PATCH] pf: Make ':0' ignore link-local v6 addresses too When users mark an interface to not use aliases they likely also don't want to use the link-local v6 address there. PR: 201695 Submitted by: Russell Yount Differential Revision: https://reviews.freebsd.org/D17633 --- sbin/pfctl/pfctl_parser.c | 3 +++ share/man/man5/pf.conf.5 | 4 ++-- sys/netpfil/pf/pf_if.c | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index d3ac9506ac35..9fbfe7cbdb7b 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1366,6 +1366,9 @@ ifa_lookup(const char *ifa_name, int flags) last_if = p->ifname; if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET && got4) continue; + if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET6 && + IN6_IS_ADDR_LINKLOCAL(&p->addr.v.a.addr.v6)) + continue; if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET6 && got6) continue; if (p->af == AF_INET) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 4b6601162cef..ab4e69dbd1d4 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd October 6, 2016 +.Dd October 27, 2018 .Dt PF.CONF 5 .Os .Sh NAME @@ -1511,7 +1511,7 @@ Do not include interface aliases. Host names may also have the .Ar :0 option appended to restrict the name resolution to the first of each -v4 and v6 address found. +v4 and non-link-local v6 address found. .Pp Host name resolution and interface to address translation are done at ruleset load-time. diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c index 4e3689c9d855..599f80cf7f13 100644 --- a/sys/netpfil/pf/pf_if.c +++ b/sys/netpfil/pf/pf_if.c @@ -553,7 +553,8 @@ pfi_instance_add(struct ifnet *ifp, int net, int flags) if ((flags & PFI_AFLAG_PEER) && !(ifp->if_flags & IFF_POINTOPOINT)) continue; - if ((flags & PFI_AFLAG_NETWORK) && af == AF_INET6 && + if ((flags & (PFI_AFLAG_NETWORK | PFI_AFLAG_NOALIAS)) && + af == AF_INET6 && IN6_IS_ADDR_LINKLOCAL( &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr)) continue;