From: Alexandr Nedvedicky <sashan@fastmail.net>
Subject: Re: tell pfctl(8) route-to no longer expects network interface
To: Renaud Allard <renaud@allard.it>
Cc: tech@openbsd.org, mvs@openbsd.org
Date: Sat, 2 May 2026 21:09:22 +0200

Hello,

On Sat, May 02, 2026 at 05:41:35PM +0200, Renaud Allard wrote:
> 
> 
> On 02/05/2026 16:03, Alexandr Nedvedicky wrote:
> > Hello,
> > 
> > Consider rule as follows:
> > 
> >      pass in on vio0 from vio0:network to ! (vio0) route-to wg1
> > 
> > When pfctl(8) in current resolves 'wg1' option at route-to action
> > it attempts to interpret it also as interface name. This is wrong.
> > When wg1 interface happens to be plumbed to system the parser
> > accepts the rule with no error and uses wg1 IP address as next-hop
> > for route-to action. Such configuration is invalid/unexpected because
> > matching packets will be looped back to local IP stack.
> > 
> > since 6.9 route-to action expects next-hop/destination IP address where
> > matching packets should be sent to.
> > 
> > diff below prevents parser to prevent route-to parameter as interface name.
> > 
> > The issue has been noticed and reported off-list by Vitaliy Makkoveev mvs@
> > 
> > OK to commit?
> > 
> 
> 
> It seems this breaks correct simple rules
> 
> amd64# echo 'match out on em0 inet nat-to (em0)' > /tmp/test.conf
> amd64# /home/r/pfctl-patched -nvf /tmp/test.conf
> 
> /tmp/test.conf:1: syntax error

    yes, the diff is wrong it does not pass regress.

sashan