change route-to so it sends packets to IPs instead of interfaces.

this is a significant (and breaking) reworking of the policy based
routing that pf can do. the intention is to make it as easy as
nat/rdr to use, and more robust when it's operating.

the main reasons for this change are:

- route-to, reply-to, and dup-to do not work with pfsync

 this is because the information about where to route-to is stored in
 rules, and it is hard to have a ruleset synced between firewalls,
 and impossible to have them synced 100% of the time.

- i can make my boxes panic in certain situations using route-to

 yeah...

- the configuration and syntax for route-to rules are confusing.

 the argument to route-to and co is an interace name with an optional
 ip address. there are several problems with this. one is that people
 tend to think about routing as sending packets to peers by their
 address, not by the interface they're reachable on. another is that
 we currently have no way to synchronise interface topology information
 between firewalls, so using an interface to say where packets go
 means we can't do failover of these states with pfsync. another
 is that a change in routing topology means a host may become
 reachable over a different interface. tying routing policy to
 interfaces gets in the way of failover and load balancing.

this change does the following:

- stores the route info in the state instead of the pf rule

 this allows route-to to keep working when the ruleset changes, and
 allows route-to info to be sent over pfsync. there's enough spare bits
 in pfsync messages that the protocol doesnt break.

 the caveat is that route-to becomes tied to pass rules that create
 state, like rdr-to and nat-to.

- the argument to route-to etc is a destination ip address

 it's not limited to a next-hop address (thought a next-hop can be a
 destination address). this allows for the failover and load balancing
 referred to above.

- deprecates the address@interface host syntax in pfctl

 because routing is done entirely by IPs, the interface is derived from
 the route lookup, not pf. any attempt to use the @interface syntax
 will fail now in all contexts.

there's enthusiasm from proctor@ jmatthew@ and others
ok sashan@ bluhm@

1 files changed, 5 insertions, 9 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 5be2f03e70d..3806dbc80fb 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.585 2020/12/07 08:29:41 sashan Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.586 2021/02/01 00:31:04 dlg Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org>
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 7 2020 $
+.Dd $Mdocdate: February 1 2021 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -1113,8 +1113,8 @@ the incoming connection arrived through (symmetric routing enforcement).
 .It Cm route-to
 The
 .Cm route-to
-option routes the packet to the specified interface with an optional address
-for the next hop.
+option routes the packet to the specified destination address instead
+of the destination address in the packet header.
 When a
 .Cm route-to
 rule creates state, only packets that pass in the same direction as the
@@ -2858,8 +2858,7 @@ ifspec         = ( [ "!" ] ( interface-name | interface-group ) ) |
 interface-list = [ "!" ] ( interface-name | interface-group )
                  [ [ "," ] interface-list ]
 route          = ( "route-to" | "reply-to" | "dup-to" )
-                 ( routehost | "{" routehost-list "}" )
-                 [ pooltype ]
+                 ( redirhost | "{" redirhost-list "}" )
 af             = "inet" | "inet6"
 
 protospec      = "proto" ( proto-name | proto-number |
@@ -2878,14 +2877,11 @@ host           = [ "!" ] ( address [ "weight" number ] |
                  address [ "/" mask-bits ] [ "weight" number ] |
                  "<" string ">" )
 redirhost      = address [ "/" mask-bits ]
-routehost      = host | host "@" interface-name |
-                 "(" interface-name [ address [ "/" mask-bits ] ] ")"
 address        = ( interface-name | interface-group |
                  "(" ( interface-name | interface-group ) ")" |
                  hostname | ipv4-dotted-quad | ipv6-coloned-hex )
 host-list      = host [ [ "," ] host-list ]
 redirhost-list = redirhost [ [ "," ] redirhost-list ]
-routehost-list = routehost [ [ "," ] routehost-list ]
 
 port           = "port" ( unary-op | binary-op | "{" op-list "}" )
 portspec       = "port" ( number | name ) [ ":" ( "*" | number | name ) ]