On Fri, Jan 15, 2021 at 04:03:09PM +0100, Alexander Bluhm wrote: > On Fri, Jan 15, 2021 at 03:24:43PM +0100, Klemens Nanni wrote: > > Existing routers doing NAT64 for IPv6-only networks will require > > `net.inet.ip.forwarding=1' for NAT64 to work. > > Actually you will need both of them. > > When sending "IPv6 -> pf-router -> IPv4" you need ip forwarding as > pf translates the packet and then it is forwarded. Sure.
> But you also want IPv4 packets from the internet return to your > local IPv6 network. For that ip6 forwarding is needed. Yes, I did not mention `net.inet6.ip6.forwarding=1' because that is already needed to get native IPv6 traffic flowing per se, so I naturally assumed it to be set on an IPv6 router regardless of NAT64 usage. Telling IPv6 users that forwarding must be enabled on their router is pointing out the obvious, `af-to' requiring IPv4 forwarding to be enabled it less intuitive, I'd say. > My argument is, that with ip forwarding = 0 no forwarded IPv4 > packet should leave your box. ip6 forwarding should prevent > IPv6 packets. > > Currently pf af-to forwards packets regardless of the sysctl settings. > This feels wrong. I agree.
