From nobody Wed Apr 16 18:02:56 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zd85D65nPz5t22R;
	Wed, 16 Apr 2025 18:02:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Zd85D1dBxz3RQV;
	Wed, 16 Apr 2025 18:02:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1744826576;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=QGEYo0HV2X4OJBKcZIrSoyyMNri6lEuAxqAJ62UEm0U=;
	b=DPJWESiESQKVYDYNUaS182MOPNFRRiUMgNh7ZRlaeF/eLH0iMfwYuPI3DFLDeo+w9S+Z3I
	5norWdY4sK36S3foY3s1wbDj04Czgo0L7TeG8QP64bIdSivTM14Gx7Gy2xRvhkcC1rYk8K
	GOVa0AG82lfq4DSjhlZL6E3x0RjpdS88yWSNNDLjSP3IZwQIiP2/Bxsy4AcT0UvZ2TnNgH
	zA/YBUo0prqyFFhBwMp0Wm5aqouJ7Iaqb945XBm/eoIXDRy+uaatgQLpMWTy7OtBOkuT4l
	STRR25zB8201ibJqXj6zYDdZfmKB4qdWgtN4ZXdbbMEJ17BaJhQ9uqI6D63emA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1744826576; a=rsa-sha256; cv=none;
	b=xAsXILKfidRmkOAwoBGcVlqEK+LyU9FhO9ImN6ZDN+XXSIFx705HDffjfAm1p6ygz0c3+L
	iqVS9snczuXdk+FK4qGg/YN4S9xPH4hgB5tkelfAKn2NlgS+tqby4E6tYrhAGNpCRLeWz6
	ty+xTw8m//eXhyFhcHStygQaXQhICKXS4h/fi2fb0Zvzxe7yLi2cHV/8dJ5RoIZiDuwlpD
	FacE4SlRQJoiiD+1sWmRUxc42wfMiJmUjjxMCeCyeXig2HbJwkYtP+26vxsLRW/lg2Mh0m
	G7J2KC4MGkqbjgQv7CvLeKTD1BDvUoQEHOhOlS+sbV5Cg4y1SpYTr+iwAujabg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1744826576;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=QGEYo0HV2X4OJBKcZIrSoyyMNri6lEuAxqAJ62UEm0U=;
	b=yevhllShIWdiCNe0zRXGmAfYI1lyu6KSCtcVFKTS55ttYNbO68IK60oiRRa4eyPf41QDgs
	GA0A4vdDcUOMeoiklQReXv1N/6Bds6r+/cRyQkIK5gmA0TGHWkhi/fdwDj6pmc6r6WH4FA
	PkcpeQ3mYvmWmBnF/vINPPrZoTbApdDFWwiTBtRQTYfUr0MVL/u66SjlpIFy78LdJa24ky
	67iFXMyvi2VAWuvVOW24fX0tDeiE/bBPFegdpWSPRh8y8KdxByLXaCgI7gM/wKA8MHeVAU
	qIODNmQmzY9/esqScfMKSUPoFirdU0qKGIoF1Wo6LVlJjrYTPvkl+4naGkXbwQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zd85D0wjrz1SJf;
	Wed, 16 Apr 2025 18:02:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53GI2uBI075863;
	Wed, 16 Apr 2025 18:02:56 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53GI2uRp075860;
	Wed, 16 Apr 2025 18:02:56 GMT
	(envelope-from git)
Date: Wed, 16 Apr 2025 18:02:56 GMT
Message-Id: <202504161802.53GI2uRp075860@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: e2177bca94f2 - main - pf: allow pf_get_sport() to
  work on in rules
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: e2177bca94f28613ab4a47ef6d3469f80e8d5923
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=e2177bca94f28613ab4a47ef6d3469f80e8d5923

commit e2177bca94f28613ab4a47ef6d3469f80e8d5923
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-16 08:47:58 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-16 14:23:48 +0000

    pf: allow pf_get_sport() to work on in rules
    
    The function pf_get_sport() did work for out rules only.  Make it
    aware of the direction of the packet.  Now nat-to can be used by
    in rules and together with divert-to.  Collisions with existing
    states are found and produce a "NAT proxy port allocation failed"
    message.
    OK henning@ mikeb@
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, 4af3c109db
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_lb.c | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 9785611271a0..d40f4828eb62 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -226,6 +226,9 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_krule *r,
 {
 	struct pf_state_key_cmp	key;
 	struct pf_addr		init_addr;
+	int			dir = (pd->dir == PF_IN) ? PF_OUT : PF_IN;
+	int			sidx = pd->sidx;
+	int			didx = pd->didx;
 
 	bzero(&init_addr, sizeof(init_addr));
 
@@ -291,11 +294,12 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_krule *r,
 	bzero(&key, sizeof(key));
 	key.af = pd->naf;
 	key.proto = pd->proto;
-	key.port[0] = pd->ndport;
-	PF_ACPY(&key.addr[0], &pd->ndaddr, key.af);
 
 	do {
-		PF_ACPY(&key.addr[1], naddr, key.af);
+		PF_ACPY(&key.addr[didx], &pd->ndaddr, key.af);
+		PF_ACPY(&key.addr[sidx], naddr, key.af);
+		key.port[didx] = pd->ndport;
+
 		if (udp_mapping && *udp_mapping)
 			PF_ACPY(&(*udp_mapping)->endpoints[1].addr, naddr, pd->af);
 
@@ -304,8 +308,8 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_krule *r,
 		 * similar 2 portloop in in_pcbbind
 		 */
 		if (pd->proto == IPPROTO_SCTP) {
-			key.port[1] = pd->nsport;
-			if (!pf_find_state_all_exists(&key, PF_IN)) {
+			key.port[sidx] = pd->nsport;
+			if (!pf_find_state_all_exists(&key, dir)) {
 				*nport = pd->nsport;
 				return (0);
 			} else {
@@ -317,14 +321,14 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_krule *r,
 			 * XXX bug: icmp states don't use the id on both sides.
 			 * (traceroute -I through nat)
 			 */
-			key.port[1] = pd->nsport;
-			if (!pf_find_state_all_exists(&key, PF_IN)) {
+			key.port[sidx] = pd->nsport;
+			if (!pf_find_state_all_exists(&key, dir)) {
 				*nport = pd->nsport;
 				return (0);
 			}
 		} else if (low == high) {
-			key.port[1] = htons(low);
-			if (!pf_find_state_all_exists(&key, PF_IN)) {
+			key.port[sidx] = htons(low);
+			if (!pf_find_state_all_exists(&key, dir)) {
 				if (udp_mapping && *udp_mapping != NULL) {
 					(*udp_mapping)->endpoints[1].port = htons(low);
 					if (pf_udp_mapping_insert(*udp_mapping) == 0) {
@@ -350,14 +354,14 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_krule *r,
 			/* low <= cut <= high */
 			for (tmp = cut; tmp <= high && tmp <= 0xffff; ++tmp) {
 				if (udp_mapping && *udp_mapping != NULL) {
-					(*udp_mapping)->endpoints[1].port = htons(tmp);
+					(*udp_mapping)->endpoints[sidx].port = htons(tmp);
 					if (pf_udp_mapping_insert(*udp_mapping) == 0) {
 						*nport = htons(tmp);
 						return (0);
 					}
 				} else {
-					key.port[1] = htons(tmp);
-					if (!pf_find_state_all_exists(&key, PF_IN)) {
+					key.port[sidx] = htons(tmp);
+					if (!pf_find_state_all_exists(&key, dir)) {
 						*nport = htons(tmp);
 						return (0);
 					}
@@ -374,8 +378,8 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_krule *r,
 						return (0);
 					}
 				} else {
-					key.port[1] = htons(tmp);
-					if (!pf_find_state_all_exists(&key, PF_IN)) {
+					key.port[sidx] = htons(tmp);
+					if (!pf_find_state_all_exists(&key, dir)) {
 						*nport = htons(tmp);
 						return (0);
 					}