pf: Document broadcast/multicast forwarding through route-to

pf_route() and pf_route6() forward broadcast and multicast traffic
when a route-to rule matches, without any check against the output
interface's broadcast domain. This is a deliberate property of the
route option code path, but it is not documented and the workaround
is non-obvious.

Document the behavior in pf.conf(5) with example block-out rules on
the target interface, scoped with the received-on qualifier so that
only forwarded traffic is dropped while the router's own broadcast
and multicast traffic continues to pass.

Add regression tests covering the full broadcast/multicast and
forwarded/local matrix on both IPv4 and IPv6.

Reviewed by:	glebius, kp
Approved by:	kp (mentor)
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D56559
This commit is contained in:
R. Christian McDonald
2026-04-23 14:52:32 -04:00
parent aad4fec5d7
commit 4578c15ab9
2 changed files with 391 additions and 1 deletions
+45 -1
View File
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd January 16, 2026
.Dd April 22, 2026
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -2431,6 +2431,50 @@ option creates a duplicate of the packet and routes it like
.Ar route-to .
The original packet gets routed as it normally would.
.El
.Pp
Unlike the kernel's normal forwarding path, the route option forwarding
path does not drop broadcast or multicast traffic when the output
interface has been overridden by a route option.
If a
.Ar route-to ,
.Ar reply-to ,
or
.Ar dup-to
rule matches traffic destined to a broadcast address (either the
limited broadcast or a subnet-directed broadcast) or to an IPv4/IPv6
multicast address, the packet is forwarded out the specified interface,
which may cross broadcast domains.
.Pp
Rulesets that use
.Ar route-to ,
.Ar reply-to ,
or
.Ar dup-to
with a permissive destination
.Po e.g.\&
.Li from any to any
.Pc
can plug this leak with explicit
.Ar block out
rules on the route option's target interface.
To avoid blocking the router's own broadcast or multicast traffic,
scope the block rules to forwarded packets with the
.Ar received-on any
qualifier.
For example, assuming
.Li $wan
is the
.Ar route-to
target interface:
.Bd -literal -offset indent
block out quick on $wan inet from any to 255.255.255.255 received-on any
block out quick on $wan inet from any to ($wan:broadcast) received-on any
block out quick on $wan inet from any to 224.0.0.0/4 received-on any
block out quick on $wan inet6 from any to ff00::/8 received-on any
.Ed
.Pp
One block-out rule set is needed per interface that may be used as
a route option target.
.Sh POOL OPTIONS
For
.Ar nat