Match on AddressFamily
Jochen Bern
Jochen.Bern at binect.de
Mon Jun 1 17:43:10 AEST 2026
Am 31.05.26 um 16:31 schrieb Marc Haber:
> I would like to have a Match on the Address Family of the outgoing
> connection, so that I can write like:
>
> Match RemoteAddressFamily inet6 Localnetwork 2001:db8:43fa:bc82::/64
> BindAddress 2001:db8:43fa:bc82::1f:100
>
> to make this BindAddress only effective when the outgoing connection
> will actually use IPv6.
>
> I can use "Match Exec", but that needs DNS lookups every time I ssh out.
Assuming that you *do* use FQDNs and do *not* have them all pre-listed
in /etc/hosts, how would you *avoid* doing DNS lookups (whose results
would then get cached locally and incur far lesser cost/delay when
looked up again), anyway?
"Match Host" matches IP addresses string-like, and IIUC does not resolve
hostnames in advance to try both name *and* IP against the matches. (If
it were doing subnets *and* pre-resolving, I would suggest something like
Match Host !0.0.0.0/0,*
BindAddress ...
to approximate an IPv6-only match ...) For IPv6 *IPs*, you may want to try
Match *:*
BindAddress ...
as ":" isn't legal for IPv4 or hostnames.
I do wonder, however, whether it'd be worthwhile to restrict the meaning
of BindAddress to "only if the connection-to-be uses that particular
address family", *and* add a "none" variant. So that users can choose,
for IPv4 and IPv6 independently, between "fixed address", "any (global?)
address", and "refuse this family".
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20260601/4bec1f5c/attachment-0001.p7s>
More information about the openssh-unix-dev
mailing list