From nobody Tue Nov 11 17:39:03 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d5YgC3WZ7z6GmMb; Tue, 11 Nov 2025 17:39:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4d5YgC30CDz3rr1; Tue, 11 Nov 2025 17:39:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762882743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VNBekvoaldJvaPPqkArxQAk42U9z3mEEMIoEAl8+qOU=; b=ZNoJ89UTGF0JGSL/XMJ1DOKmXvtt64k35D6MFdmQnW2mHaudxK5gA3oEUsV6fXOs/Sxmku mNTvjDmTuH++sRdn+0930WOez/KxKwCEOU2UKArspf19WtkzbS6QPqp3IXoM/Ah29+6ms0 guUnKR5+Tm0QbE1yOS4PkwhW1bJb1N77xQD3QGkEMBahf1Zl+UR7+9ZJ4bKEgNNF3RRTVG X33BwqRCBTHAD0YhCQinVrKX8hekKDu1h2exOdpMrMYUkc3yZ1R47kkBqUh7+qFnbqudjU zFna4w1sb6yOhSKDxuSGlJmnVRZZ/xDlyDbpv1WcNqYW8m1GlhI5v6O7bKnJ1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762882743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VNBekvoaldJvaPPqkArxQAk42U9z3mEEMIoEAl8+qOU=; b=AhZBLMSEVsbuxaGMm892Yoq1VMtL+bng2Mv8DLAg+2jGnbaomrcbFzXi8iOOce+MRpYLEu Q+Qm2ZgbJSvOTagIyNH6dDZFMRUU0auL8qIy/0dHwTdbZPuuKQ9/4F6xjYCKCbiBMhVKEl rUn8rUMhGvuVu+xIEKmP4boRiXpKCdqvetWim7VM1/UrfxUpVix8H196UthSfylw19HcL/ 6ktF3sP/SsG2nkhx+h0ZzsSVne3DRiSF9ZR97qxFLAL3wzyF5QoNhGo9WrlEdtSPJATW84 fGpSPnmylfHOP4IZoebxui/qeWDwNCZ1+ACb1amW0/GpQfNtwzPTOKICTshgtw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762882743; a=rsa-sha256; cv=none; b=pLgkRHudAfYl/V7Ne7BT4ZwzuKv41lu4oO/MYMNxdH8GeifVM6yY9FpuKIItufPNu38Aus KV2Bvqu6yI4R/Qokg+m12Iv4MAy02bUAlljIZnw4q26a70nAQ98tHydZ4xxy6/HAZafCnC JOcEM9Mli/OWU5PDrZop0pDPOjiENm0m6B+Zk0wWABXMZsoSKCtDWdYK9L6AnTaBCK6H9N wDLZhhCXt8AEkejG0Dx+iLe2AV8DyU3O2fnfR+wBLQE1a77PPpyGWdfcchRBvYnW9gpIm+ tvOBVkP1CLMMnR1RE3irV8puq39x8Z5oe7evIorQ7N20TgFBoG9VKyR2zH6wtA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d5YgC2YXFz1Cc5; Tue, 11 Nov 2025 17:39:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5ABHd3EM058327; Tue, 11 Nov 2025 17:39:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5ABHd3fx058324; Tue, 11 Nov 2025 17:39:03 GMT (envelope-from git) Date: Tue, 11 Nov 2025 17:39:03 GMT Message-Id: <202511111739.5ABHd3fx058324@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kajetan Staszkiewicz Subject: git: 562648ad4145 - stable/15 - pf: Make nat-to and rdr-to work properly both on in and out rules List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ks X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 562648ad414545bb4fb1f6da26273032c20875f3 Auto-Submitted: auto-generated The branch stable/15 has been updated by ks: URL: https://cgit.FreeBSD.org/src/commit/?id=562648ad414545bb4fb1f6da26273032c20875f3 commit 562648ad414545bb4fb1f6da26273032c20875f3 Author: Kajetan Staszkiewicz AuthorDate: 2025-10-01 13:51:46 +0000 Commit: Kajetan Staszkiewicz CommitDate: 2025-11-11 13:16:42 +0000 pf: Make nat-to and rdr-to work properly both on in and out rules New-style address translation is done by nat-to and rdr-to actions on normal match and pass rules. Those rules, when used without address translation, can be specified without direction. But that allows users to specify pre-routing nat and post-routing rdr. This case is not handled properly and causes pre-routing nat to modify destination address, as if it was a rdr rule, and post-routing rdr to modify source address, as if it was a nat rule. Ensure that nat-to action modifies source address and rdr-to destination address no matter in which direction the rule is applied. The man page for pf.conf already specifies that nat-to and rdr-to rules should be limited to respective directions. PR: 288577 Reviewed by: kp MFC after: 3 days Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D53216 (cherry picked from commit 646798b6783184fb194a2d97667e05895e00c358) --- sys/netpfil/pf/pf_lb.c | 16 +++++++++++++-- tests/sys/netpfil/pf/nat.sh | 47 ++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 56 insertions(+), 7 deletions(-) diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 29d7a32e0bdc..bee9f4637091 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -974,6 +974,7 @@ pf_get_transaddr(struct pf_test_ctx *ctx, struct pf_krule *r, { struct pf_pdesc *pd = ctx->pd; struct pf_addr *naddr; + int idx; uint16_t *nportp; uint16_t low, high; u_short reason; @@ -988,8 +989,19 @@ pf_get_transaddr(struct pf_test_ctx *ctx, struct pf_krule *r, return (PFRES_MEMORY); } - naddr = &ctx->nk->addr[1]; - nportp = &ctx->nk->port[1]; + switch (nat_action) { + case PF_NAT: + idx = pd->sidx; + break; + case PF_BINAT: + idx = 1; + break; + case PF_RDR: + idx = pd->didx; + break; + } + naddr = &ctx->nk->addr[idx]; + nportp = &ctx->nk->port[idx]; switch (nat_action) { case PF_NAT: diff --git a/tests/sys/netpfil/pf/nat.sh b/tests/sys/netpfil/pf/nat.sh index 5ea1dd6d8b2f..25cac1810349 100644 --- a/tests/sys/netpfil/pf/nat.sh +++ b/tests/sys/netpfil/pf/nat.sh @@ -474,14 +474,50 @@ no_addrs_random_cleanup() pft_cleanup } -nat_pass_head() +atf_test_case "nat_pass_in" "cleanup" +nat_pass_in_head() { - atf_set descr 'IPv4 NAT on pass rule' + atf_set descr 'IPv4 NAT on inbound pass rule' atf_set require.user root atf_set require.progs scapy } -nat_pass_body() +nat_pass_in_body() +{ + setup_router_server_ipv4 + # Delete the route back to make sure that the traffic has been NAT-ed + jexec server route del -net ${net_tester} ${net_server_host_router} + # Provide routing back to the NAT address + jexec server route add 203.0.113.0/24 ${net_server_host_router} + jexec router route add 203.0.113.0/24 -iface ${epair_tester}b + + pft_set_rules router \ + "block" \ + "pass in on ${epair_tester}b inet proto tcp nat-to 203.0.113.0 keep state" \ + "pass out on ${epair_server}a inet proto tcp keep state" + + ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4201 + + jexec router pfctl -qvvsr + jexec router pfctl -qvvss + jexec router ifconfig + jexec router netstat -rn +} + +nat_pass_in_cleanup() +{ + pft_cleanup +} + +atf_test_case "nat_pass_out" "cleanup" +nat_pass_out_head() +{ + atf_set descr 'IPv4 NAT on outbound pass rule' + atf_set require.user root + atf_set require.progs scapy +} + +nat_pass_out_body() { setup_router_server_ipv4 # Delete the route back to make sure that the traffic has been NAT-ed @@ -500,7 +536,7 @@ nat_pass_body() jexec router netstat -rn } -nat_pass_cleanup() +nat_pass_out_cleanup() { pft_cleanup } @@ -823,7 +859,8 @@ atf_init_test_cases() atf_add_test_case "no_addrs_random" atf_add_test_case "map_e_compat" atf_add_test_case "map_e_pass" - atf_add_test_case "nat_pass" + atf_add_test_case "nat_pass_in" + atf_add_test_case "nat_pass_out" atf_add_test_case "nat_match" atf_add_test_case "binat_compat" atf_add_test_case "binat_match"