pf: make af-to less magical
by from OpenBSD Journal on (#72W7K)
Seasoned networkers will know to tell you that legacy IPv4 and modern IPv6 are, in fact, not directly compatible, and shipping traffic between IPv4 and IPv6 network requires address family translation.
On our favorite operating system and its siblings, that special case has been handled via the af-to option and special case rules since back in the OpenBSD 5.1 days.
But that special case has always felt a bit awkward to some, and now David Gwynne (dlg@) is airing a patch on tech@ with a view to making af-to "less magical".
In the message titled pf: make af-to less magical, David explains the motivation,
List: openbsd-techSubject: pf: make af-to less magicalFrom: David Gwynne <david () gwynne ! id ! au>Date: 2026-01-16 2:11:57Message-ID: aWmebWvdwBi6z98j () animata ! neti only recently figured out that af-to is very special in pf, but i dontthink it should be.currently af-to has the following restrictions:1. it only works for incoming packets, ie, you can only use it on "passin" rules in pf.2. it forces the translated packet to be forwarded.a consequence of these, and 2 in particular, is that only one state iscreated for an af-to connection over the firewall. this is unlike otherforwarded connections where there's generally two states created, onewhen the packet comes in from the wire into the stack, and another whenthe packet goes out from the stack to the wire.