Index | Thread | Search

From:
Alexandr Nedvedicky <sashan@fastmail.net>
Subject:
Re: tell pfctl(8) route-to no longer expects network interface
To:
tech@openbsd.org
Date:
Sun, 3 May 2026 07:23:57 +0200

Download raw body.

Thread 
Hello,

let's forget this diff for now.

it has turned out there is no pressure to get this in.
according to further testing with wg(4) it's possible
to use a local interface address (for example wg0) as
next-hop for route-to action. Things work as expected
as long as wg(4) tunnel policy allows packet to enter
tunnel, wgaip ifconifg(8) option must allow the address.
 
sorry for the noise
regards
sashan

On Sun, May 03, 2026 at 12:06:53AM +0200, Alexandr Nedvedicky wrote:
</snip>
> 
> --------8<---------------8<-----------------8<--------
> diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
> index 92764edcf3b..be3c6348f2c 100644
> --- a/sbin/pfctl/parse.y
> +++ b/sbin/pfctl/parse.y
> @@ -3147,8 +3147,7 @@ host		: STRING			{
>  				yyerror("could not parse host specification");
>  				YYERROR;
>  			}
> -			free($1);
> -
> +			$$->parser_input = $1;
>  		}
>  		| STRING '-' STRING		{
>  			struct node_host *b, *e;
> @@ -3326,7 +3325,7 @@ dynaddr		: '(' STRING ')'		{
>  				yyerror("interface name too long");
>  				YYERROR;
>  			}
> -			free(op);
> +			$$->parser_input = op;
>  			$$->next = NULL;
>  			$$->tail = $$;
>  		}
> @@ -4212,6 +4211,16 @@ routespec	: redirspec pool_opts {
>  			if (redir == NULL)
>  				err(1, "routespec calloc");
>  			redir->host = $1;
> +			if (redir->host->parser_input != NULL) {
> +				struct node_host *chk_if;
> +
> +				chk_if = host_if(redir->host->parser_input, 0);
> +				if (chk_if != NULL) {
> +					yyerror("route-to/reply-to/dup-to: "
> +					    "network interface not expected");
> +					YYERROR;
> +				}
> +			}
>  			filter_opts.rroute.rdr = redir;
>  			memcpy(&filter_opts.rroute.pool_opts, &$2,
>  			    sizeof(filter_opts.rroute.pool_opts));
> diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
> index c65a805ad90..b85a10c0391 100644
> --- a/sbin/pfctl/pfctl_parser.h
> +++ b/sbin/pfctl/pfctl_parser.h
> @@ -150,6 +150,7 @@ struct node_host {
>  	u_int32_t		 ifindex;	/* link-local IPv6 addrs */
>  	u_int16_t		 weight;	/* load balancing weight */
>  	char			*ifname;
> +	char			*parser_input;
>  	u_int			 ifa_flags;
>  	struct node_host	*next;
>  	struct node_host	*tail;
> @@ -332,6 +333,7 @@ char			*ifa_indextoname(unsigned int, char *);
>  struct node_host	*ifa_exists(const char *);
>  struct node_host	*ifa_lookup(const char *, int);
>  struct node_host	*host(const char *, int);
> +struct node_host	*host_if(const char *, int);
>  
>  int			 append_addr(struct pfr_buffer *, char *, int, int);
>  int			 append_addr_host(struct pfr_buffer *,
>