David Gwynne from OpenBSD is proposing changes to how af-to handles IPv4-to-IPv6 translation in the packet filter (pf). Currently, af-to is treated as a special case, limiting its use to incoming packets and forcing forwarding behavior.

The proposed patch aims to make af-to behave more like other firewall translation rules. This simplifies the code by removing special handling and aligning it with existing mechanisms used in ip_output and ip6_output paths.

Operators may need to adjust rules to explicitly allow outgoing translated traffic. While this adds configuration overhead, it reduces complexity under the hood. Feedback is sought from users who rely on address family translation in real-world deployments.

The change reflects OpenBSD’s long-standing focus on clean, maintainable code. It could improve flexibility for dual-stack network environments where IPv4/IPv6 interoperability is essential.