From: Alexandr Nedvedicky Subject: Re: tell pfctl(8) route-to no longer expects network interface To: tech@openbsd.org Date: Sun, 3 May 2026 07:23:57 +0200 Hello, let's forget this diff for now. it has turned out there is no pressure to get this in. according to further testing with wg(4) it's possible to use a local interface address (for example wg0) as next-hop for route-to action. Things work as expected as long as wg(4) tunnel policy allows packet to enter tunnel, wgaip ifconifg(8) option must allow the address. sorry for the noise regards sashan On Sun, May 03, 2026 at 12:06:53AM +0200, Alexandr Nedvedicky wrote: > > --------8<---------------8<-----------------8<-------- > diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y > index 92764edcf3b..be3c6348f2c 100644 > --- a/sbin/pfctl/parse.y > +++ b/sbin/pfctl/parse.y > @@ -3147,8 +3147,7 @@ host : STRING { > yyerror("could not parse host specification"); > YYERROR; > } > - free($1); > - > + $$->parser_input = $1; > } > | STRING '-' STRING { > struct node_host *b, *e; > @@ -3326,7 +3325,7 @@ dynaddr : '(' STRING ')' { > yyerror("interface name too long"); > YYERROR; > } > - free(op); > + $$->parser_input = op; > $$->next = NULL; > $$->tail = $$; > } > @@ -4212,6 +4211,16 @@ routespec : redirspec pool_opts { > if (redir == NULL) > err(1, "routespec calloc"); > redir->host = $1; > + if (redir->host->parser_input != NULL) { > + struct node_host *chk_if; > + > + chk_if = host_if(redir->host->parser_input, 0); > + if (chk_if != NULL) { > + yyerror("route-to/reply-to/dup-to: " > + "network interface not expected"); > + YYERROR; > + } > + } > filter_opts.rroute.rdr = redir; > memcpy(&filter_opts.rroute.pool_opts, &$2, > sizeof(filter_opts.rroute.pool_opts)); > diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h > index c65a805ad90..b85a10c0391 100644 > --- a/sbin/pfctl/pfctl_parser.h > +++ b/sbin/pfctl/pfctl_parser.h > @@ -150,6 +150,7 @@ struct node_host { > u_int32_t ifindex; /* link-local IPv6 addrs */ > u_int16_t weight; /* load balancing weight */ > char *ifname; > + char *parser_input; > u_int ifa_flags; > struct node_host *next; > struct node_host *tail; > @@ -332,6 +333,7 @@ char *ifa_indextoname(unsigned int, char *); > struct node_host *ifa_exists(const char *); > struct node_host *ifa_lookup(const char *, int); > struct node_host *host(const char *, int); > +struct node_host *host_if(const char *, int); > > int append_addr(struct pfr_buffer *, char *, int, int); > int append_addr_host(struct pfr_buffer *, >