Feature #15776
closed
System Aliases for various reserved networks
100%
Description
#1979 added a System Aliases facility users can utilize to make rules with the built-in system aliases, and it would be nice to add some pre-defined lists of reserved networks to that.
Examples to start with could be:
- IPv4 Private Addresses: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
- IPv6 Private Addresses: fc00::/7
- IPv6 Link Local: fe80::/10
- IPv4 Multicast: 224.0.0.0/4
- IPv6 Multicast: ff00::0/8
- Localhost: 127.0.0.1, ::1
The IPv4 and IPv6 aliases could likely be combined.
Tricky part might be finding names which do not or cannot conflict with existing user-defined aliases, or renaming conflicting user aliases.
Related issues
Updated by Jim Pingle 6 months ago
- Due date set to 10/26/2011
- Start date set to 10/26/2011
- Follows Feature #1979: Allow user-defined rules to utilize built-in system aliases added
Updated by Jim Pingle 6 months ago
- Due date deleted (
10/26/2011) - Start date deleted (
10/26/2011)
Updated by Jim Pingle 4 months ago
- Plus Target Version changed from 25.01 to 25.03
Updated by Marcos M 4 months ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 4d7be13979570ea0071ce6e95e976588ee1e2dc8.
Updated by Georgiy Tyutyunnik 4 months ago
feature works correctly after change applied as a patch
aliases are created and populated
tested on:
24.11-RELEASE (amd64)
built on Wed Nov 27 19:22:00 CET 2024
FreeBSD 15.0-CURRENT
Updated by Jim Pingle 4 months ago
This looks good but I can't help wondering if we should have "46" variants with all of the IPv4 and IPv6 addresses together so users can use them in IPv4+IPv6 rules without rolling their own nested aliases (which does work, it just feels like it should be unnecessary).
Or just have one alias with all of them instead of separate 4 and 6 variants. PF will only use the appropriate entries based on the rule type, or it has in the past.
Updated by Jens Groh about 2 months ago
Jim Pingle wrote in #note-7:
This looks good but I can't help wondering if we should have "46" variants with all of the IPv4 and IPv6 addresses together so users can use them in IPv4+IPv6 rules without rolling their own nested aliases (which does work, it just feels like it should be unnecessary).
Or just have one alias with all of them instead of separate 4 and 6 variants. PF will only use the appropriate entries based on the rule type, or it has in the past.
I'd vote for combined aliases especially as PF doesn't have a problem using it. Default NAT outbound rules can be simplified so much by using a "local46" alias & a default outbound with all necessary networks, that especially for CARP setups the outbound setup is so much easier to read and manage. But a local46 and private46 would help tremedously to prepare good VLAN separation rulesets/templates instead of having singular rules per IP family or having to create nested aliases for that.
Updated by Marcos M about 2 months ago
Done with 15709960f5057fe0b1281a645a41b8958a8926a8.