January 16, 2026
No more Hogwarts in pf
pf: Make af-to less magical
OpenBSD pulls back the curtain on pf, devs cheer while ops groan
TLDR: OpenBSD wants af-to to stop auto-forwarding and act more predictably, which means simpler internals but extra outgoing rules. Community split: OpenBSD fans praise clarity, while ops worry about missed rules, and Linux users marvel that pf has built-in translation at all.
OpenBSD’s packet filter is getting a reality check: developer David Gwynne wants the IPv4↔IPv6 translator (called “af-to”) to be less magical—meaning fewer hidden auto-forwards, more explicit rules, and simpler code. Translation: the wizard hat comes off, you’ll need to add an extra “let it out” rule, but the internals stop doing backflips. The patch proposal even promises local traffic translation to “Just Works™,” which had the Linux crowd peeking over the fence.
Cue the comments: one user confessed, “Wait, BSD has this built in?” while pointing out that on Linux the go-to is Jool, an add-on module that can’t translate traffic that starts on the machine itself. OpenBSD folks are split: the “explicit is better” camp is popping confetti for cleaner design, while operators grumble that this change means more rules and more ways to forget one, aka outage bingo. Memes flew—“Hogwarts closed, pf goes to community college,” “Just Works™ is famous last words,” and “af-to is now af-to-do.” The drama vibe: is this a brave cleanup or a sneaky breaking change? Fans say fewer footguns and clearer behavior; skeptics say “great, now I have two rules to babysit.” Either way, pf’s magic tricks are getting replaced with plain-English instructions, and the crowd’s watching with popcorn.
Key Points
- •OpenBSD developer David Gwynne proposed a patch to make pf’s af-to feature less special-case and simpler.
- •Currently, af-to only works on “pass in” rules and forces forwarding, creating a single state per connection and requiring special handling in pf.
- •The patch stops af-to from forcing forwarding by sending translated packets from ip_input to ip6_input, not ip6_forward.
- •A state machine using PF_TAG_GENERATED and PF_TAG_REROUTE on mbufs is extended to ip_input/ip6_input to avoid reprocessing by pf_test.
- •Operationally, forwarded connections will now need explicit outgoing pass rules, while code complexity is reduced; minimal testing has been done and feedback is requested.