Project

General

Profile

Actions

Feature #2634

closed

No IPv6 networks in firewall NAT rules

Added by Guy B over 12 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
09/16/2012
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

I'm using snapshot:
2.1-BETA0 (i386)
built on Sat Sep 15 16:38:08 EDT 2012

I tried adding a port forward rule to test a transparent proxy setup in an IP6 network and got this error:

There were error(s) loading the rules: /tmp/rules.debug:71: rule expands to no valid combination
pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [71]: nat on nfe0 proto tcp from 192.168.1.0/24 to ::1 port 80 -> (nfe0)

If I set the IP6 loopback address to an IP4 address, 127.0.0.1, the rule passes, but as you can see it's putting automatically an IP4 address in the 'from' category, when I had put an IP6 alias in that rule.

If I go to add any port forward rule, there are no IP6 networks available in the source or destination addresses.

Not sure if this is a bug or just a future feature.

BTW, the proxy (squid3 & dansguardian) works just fine in non-transparent mode. :-)

Actions #1

Updated by Seth Mos over 12 years ago

Yeah, we'll need to block any ipv6 addresses in a redirect rule, it won't work.

Any nat or rdr can not span address families. If I understand correctly you want to setup a transparent proxy to intercept IPv6 traffic? If so, those rules would best belong in the squid package, it needs IPv6 support too.

Actions #2

Updated by Guy B over 12 years ago

Thanks for the response Seth,

You understand correctly, I'm wanting to redirect IP6 traffic. I understand with squid and such, that's just the way it is and who knows when that'll be implemented. And I'm sure the reason for no IP6 rdr's is probably complicated, but seems strange... (IP6 port redirects, while not crucial, would seem to me to be a major feature) Is there some way I can put in a manual pf rule to do a IP6 rdr?

thanks

Actions #3

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Resolved

Last I saw, this was working for rdr, you just need to make sure everything you specify is the same address family.

Actions #4

Updated by Guy B over 5 years ago

Thanks!

Actions

Also available in: Atom PDF