From nobody Thu Oct 30 17:44:39 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cyBMD6s0Jz6FKvH; Thu, 30 Oct 2025 17:44:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cyBMC5swkz47Lf; Thu, 30 Oct 2025 17:44:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1761846280; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=60YRqX9lRpEtO6FVu46ZuWTX3sGZ7etyfwLpmH3lcZE=; b=XMlzZ9HQEfXkPejct9N3Xu/hhWOlbD4p7ikQB+MniTQ58skHqX86kQV0e6JVEi93guzqyx 0xkpSekERI1+DcwiCd8bcsu9/UWbtxtSJPh8zp+/wUDp9HljlKzIpRljOFXW/IjJFFFNy8 wk3C6jxDG59ZvnF4q0OEisVJEKUsNkAT9Zn0VYvvnkjgq7D820vEr6X+2w+qvJ+0WltisE axtrqiNhkJzwLXBvw9qoSQRznHiFqglbP2XCiGpi+fqP+uO9ZQYuaecP97vnGfP/ZRNpaH M9sIvYVK1aZZ4hZOEEzBk9pKo361BdCEAeg1CP+2JjNHAvyEqdqyI5oVdPrhoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1761846279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=60YRqX9lRpEtO6FVu46ZuWTX3sGZ7etyfwLpmH3lcZE=; b=oSFJl7d/22vhgPFOl5u4/N46SIeOuoO1kDToi3dMZWFf5xoKjQuDa8+r5aiC1tjI4MCAMX MSgZC9JjWI+OI9ogPE17YFiJMacHdjkLdDi4FKFnceqaq9UJh97WxH1OV9+6wjArolrQlH zqQX9Z4ia2pQ9lNrVQhVv8+QTAr/HbwxHVbiDzbgNGljp93qTeo8Fhn53EWNkxot6uOcLD vxoqKQPYMiCV244xHCtnGMeaYhh9rN3Z8C1uiL6w6bpAdPCMZ1DTw5miOlTU2WqezLtLqy iRoswgG4MtMF9oBK7MaH3zk9bem+ha2S/f3ou8mRXW7eqx/YgJas6WJ6TJ/ljw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761846279; a=rsa-sha256; cv=none; b=hFbBZpo5f3yEG69SOrrVHaZIufwQ4wSG5Vf5k7jN9E/nYXEhn8pvFkEZ7WxaXBGuSGtDAy MSV3dnPE4Wn1IwfObuWdRnuwVE7T1cXNw84RsBMuIYfKZgcw3WqY3iot1G/kY0/OKUohvp 018PL3/U8AfK2mfJQY7fu/VcgiaLsp9BRaqR/dw1bTZMh2khoageLO1E9fYFHd5RgCVQud oNKa8Vwx8MpsMCwE0gaZemliR0Sj+JHSriYZIv4FAL2PM1DQWrs0oVkK9icI5O4ujCRB2u JvBR15ZXWBL4xeV8KshYf5J7UnoQfhVzhyVuch6h24+a/RBDz8T8/jR/gxvAKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cyBMC5SJXzY6B; Thu, 30 Oct 2025 17:44:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59UHidbV092321; Thu, 30 Oct 2025 17:44:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59UHid64092318; Thu, 30 Oct 2025 17:44:39 GMT (envelope-from git) Date: Thu, 30 Oct 2025 17:44:39 GMT Message-Id: <202510301744.59UHid64092318@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kajetan Staszkiewicz Subject: git: 646798b67831 - main - pf: Make nat-to and rdr-to work properly both on in and out rules List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ks X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 646798b6783184fb194a2d97667e05895e00c358 Auto-Submitted: auto-generated The branch main has been updated by ks: URL: https://cgit.FreeBSD.org/src/commit/?id=646798b6783184fb194a2d97667e05895e00c358 commit 646798b6783184fb194a2d97667e05895e00c358 Author: Kajetan Staszkiewicz AuthorDate: 2025-10-01 13:51:46 +0000 Commit: Kajetan Staszkiewicz CommitDate: 2025-10-30 17:32:21 +0000 pf: Make nat-to and rdr-to work properly both on in and out rules New-style address translation is done by nat-to and rdr-to actions on normal match and pass rules. Those rules, when used without address translation, can be specified without direction. But that allows users to specify pre-routing nat and post-routing rdr. This case is not handled properly and causes pre-routing nat to modify destination address, as if it was a rdr rule, and post-routing rdr to modify source address, as if it was a nat rule. Ensure that nat-to action modifies source address and rdr-to destination address no matter in which direction the rule is applied. The man page for pf.conf already specifies that nat-to and rdr-to rules should be limited to respective directions. PR: 288577 Reviewed by: kp MFC after: 3 days Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D53216 --- sys/netpfil/pf/pf_lb.c | 16 +++++++++++++-- tests/sys/netpfil/pf/nat.sh | 47 +++++++++++++++++++++++++++++++++++++++------ 2 files changed, 55 insertions(+), 8 deletions(-) diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 5d85e16f18e3..4b1d74e0e61f 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -974,6 +974,7 @@ pf_get_transaddr(struct pf_test_ctx *ctx, struct pf_krule *r, { struct pf_pdesc *pd = ctx->pd; struct pf_addr *naddr; + int idx; uint16_t *nportp; uint16_t low, high; u_short reason; @@ -988,8 +989,19 @@ pf_get_transaddr(struct pf_test_ctx *ctx, struct pf_krule *r, return (PFRES_MEMORY); } - naddr = &ctx->nk->addr[1]; - nportp = &ctx->nk->port[1]; + switch (nat_action) { + case PF_NAT: + idx = pd->sidx; + break; + case PF_BINAT: + idx = 1; + break; + case PF_RDR: + idx = pd->didx; + break; + } + naddr = &ctx->nk->addr[idx]; + nportp = &ctx->nk->port[idx]; switch (nat_action) { case PF_NAT: diff --git a/tests/sys/netpfil/pf/nat.sh b/tests/sys/netpfil/pf/nat.sh index 1ef87cee3598..0824671fa0f1 100644 --- a/tests/sys/netpfil/pf/nat.sh +++ b/tests/sys/netpfil/pf/nat.sh @@ -477,15 +477,49 @@ no_addrs_random_cleanup() pft_cleanup } -atf_test_case "nat_pass" "cleanup" -nat_pass_head() +atf_test_case "nat_pass_in" "cleanup" +nat_pass_in_head() { - atf_set descr 'IPv4 NAT on pass rule' + atf_set descr 'IPv4 NAT on inbound pass rule' atf_set require.user root atf_set require.progs scapy } -nat_pass_body() +nat_pass_in_body() +{ + setup_router_server_ipv4 + # Delete the route back to make sure that the traffic has been NAT-ed + jexec server route del -net ${net_tester} ${net_server_host_router} + # Provide routing back to the NAT address + jexec server route add 203.0.113.0/24 ${net_server_host_router} + jexec router route add 203.0.113.0/24 -iface ${epair_tester}b + + pft_set_rules router \ + "block" \ + "pass in on ${epair_tester}b inet proto tcp nat-to 203.0.113.0 keep state" \ + "pass out on ${epair_server}a inet proto tcp keep state" + + ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4201 + + jexec router pfctl -qvvsr + jexec router pfctl -qvvss + jexec router ifconfig + jexec router netstat -rn +} + +nat_pass_in_cleanup() +{ + pft_cleanup +} + +nat_pass_out_head() +{ + atf_set descr 'IPv4 NAT on outbound pass rule' + atf_set require.user root + atf_set require.progs scapy +} + +nat_pass_out_body() { setup_router_server_ipv4 # Delete the route back to make sure that the traffic has been NAT-ed @@ -504,7 +538,7 @@ nat_pass_body() jexec router netstat -rn } -nat_pass_cleanup() +nat_pass_out_cleanup() { pft_cleanup } @@ -874,7 +908,8 @@ atf_init_test_cases() atf_add_test_case "no_addrs_random" atf_add_test_case "map_e_compat" atf_add_test_case "map_e_pass" - atf_add_test_case "nat_pass" + atf_add_test_case "nat_pass_in" + atf_add_test_case "nat_pass_out" atf_add_test_case "nat_match" atf_add_test_case "binat_compat" atf_add_test_case "binat_match"