PF IPv6 equivalent for en0:network

P

pfDirk

Well the title says it all. My IPv6 is not so good I admit. I have some IPv4 rules that look like this:

Code: 
pass in quick from en1:network to any keep state
pass out quick from any to en1:network keep state

And I would like an IPv6 equivalent rule. I want it like that because the network can change (portable WiFi).
 
Qualify the rules with the inet6 keyword. Something like:

Code: 
pass in quick inet6 from en1:network to any
pass out quick inet6 from any to en1:network

Those rules will not match IPV4 traffic anymore so you'll need the original rules as well qualified with the inet keyword.

Code: 
pass in quick inet from en1:network to any
pass out quick inet from any to en1:network

The keep state part of your rules is not needed, pf(4) defaults to stateful tracking.
 
Thanks,

I already started to think that my testing was flawed and that the notation was correct for IPv6 as well.
Just to be 100% sure.
so my original example would pass both inet4 and inet6 ?

Dirk
 
Well further testing reveals this is not functional. I am testing on OSX Maverick. The following lines: (en0 is properly configured)

Code: 
pass in quick inet6 from en0:network to any
pass out quick inet6 from any to en0:network
give:

Code: 
/etc/pf.conf:30: rule expands to no valid combination
/etc/pf.conf:31: rule expands to no valid combination
 
Well, unfortunately this is a FreeBSD forum so your question about PF on OS X is more than a bit out of scope. I do however remember that this error comes up when the interface does not have an assigned IPv6 address but I don't know how it all works on OS X.
 
You must log in or register to reply here.
Back
Top