From: Crystal Kolipe Subject: pf rule bypass with IPv6 link local destination To: tech@openbsd.org Date: Wed, 21 Aug 2024 07:11:16 -0300 Rules in pf.conf that specify a 'user' parameter are ignored when the destination is an IPv6 link local address. Is this a known bug, limitation, or expected behaviour? The effect is somewhat worse when the 'user' parameter is used in a block rule, as during casual testing with globally scoped IPv6 addresses it appears to work, and yet the blocked UIDs can still access link-local addresses that are expected to be blocked, (see second example). Minimal reproducer: Local IPs: 192.168.1.1, 2001:db8:ffff::1, fe80::1111:2222:3333:4444 # cat /etc/pf.conf block return pass out proto tcp user 1000 As root: telnet 192.168.1.2 Fails as expected telnet 2001:db8:ffff::2 Fails as expected telnet fe80::1111:2222:3333:4444%rge0 Fails as expected As UID 1000: telnet 192.168.1.2 Works as expected telnet 2001:db8:ffff::2 Works as expected telnet fe80::1111:2222:3333:4444%rge0 Fails !? Second example: Local IPs: 192.168.1.1, 2001:db8:ffff::1, fe80::1111:2222:3333:4444 # cat /etc/pf.conf block return pass out block out proto tcp user 1000 As root: telnet 192.168.1.2 Works as expected telnet 2001:db8:ffff::2 Works as expected telnet fe80::1111:2222:3333:4444%rge0 Works as expected As UID 1000: telnet 192.168.1.2 Fails as expected telnet 2001:db8:ffff::2 Fails as expected telnet fe80::1111:2222:3333:4444%rge0 Works :-(