On 5/22/23 12:36, Stuart Henderson wrote:
Huh. So a client can use some other source port to send to the server, but the server is still required to send packets back to port 546 on the client rather than the source port the client actually used. Who came up with this idea... (I am dubious that random DHCPv6 infrastructure on the 'net will cope with a different source port either).Anyway in that case the "out" rule would be pass out quick on pppoe0 proto udp to port dhcpv6-server received-on none The "in" rule is more problematic, I don't think we would want pass in quick on pppoe0 proto udp to port dhcpv6-client because that covers incoming packets to machines behind the router. We can't use "self" because addresses are determined at PF ruleset load time. Do we need "{(self) fe80::/10" or something? Is this something you had to change yourself or is it just from a strict reading of 8415?
RFC 2131 also does not state what source UDP ports DHCP clients and servers MUST/SHOULD use. This caused Florian Obser to fix a bug in dhcpleased (https://marc.info/?l=openbsd-bugs&m=163507791819694&w=2). Shadrock Uhuru was having trouble with IPv6, and they got it to work once they followed my pf ruleset (https://marc.info/?l=openbsd-misc&m=167502694716840&w=2). I don't know which rules exactly fixed their problem, but I don't think it makes sense to have an overly restrictive ruleset. If one wants to iteratively add more restrictive rules, then they can; but the base ruleset should conform to RFC 8415. I am aware that this allows more than one wants, but then again so does not filtering for the exact IP of the DHCPv6 server. Obviously as the maintainer, it is your call.
