From nobody Sun Mar 20 11:56:15 2022
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BBF871A359BA
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Sun, 20 Mar 2022 11:56:24 +0000 (UTC)
	(envelope-from freebsd@omnilan.de)
Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KLx6b6CpPz4TNy
	for <freebsd-net@freebsd.org>; Sun, 20 Mar 2022 11:56:23 +0000 (UTC)
	(envelope-from freebsd@omnilan.de)
Received: from mh0.gentlemail.de (mh0.gentlemail.de [78.138.80.135])
	by mx0.gentlemail.de (8.15.2/8.15.2) with ESMTP id 22KBuFEs010548
	for <freebsd-net@freebsd.org>; Sun, 20 Mar 2022 12:56:15 +0100 (CET)
	(envelope-from freebsd@omnilan.de)
Received: from titan.inop.mo1.omnilan.net (s1.omnilan.de [217.91.127.234])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mh0.gentlemail.de (Postfix) with ESMTPSA id 8987462F
	for <freebsd-net@freebsd.org>; Sun, 20 Mar 2022 12:56:15 +0100 (CET)
To: freebsd-net@freebsd.org
From: Harry Schmalzbauer <freebsd@omnilan.de>
Subject: pf(4) action match/overload somehow?
Organization: OmniLAN
Message-ID: <6142d0eb-f73f-13cf-4f7f-67b2395f4709@omnilan.de>
Date: Sun, 20 Mar 2022 12:56:15 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 4KLx6b6CpPz4TNy
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of freebsd@omnilan.de designates 2a00:e10:2800::a130 as permitted sender) smtp.mailfrom=freebsd@omnilan.de
X-Spamd-Result: default: False [-2.30 / 15.00];
	 RCVD_TLS_LAST(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 R_SPF_ALLOW(-0.20)[+mx];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
	 TO_DN_NONE(0.00)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 HAS_ORG_HEADER(0.00)[];
	 RCVD_COUNT_THREE(0.00)[3];
	 DMARC_NA(0.00)[omnilan.de];
	 NEURAL_HAM_LONG(-1.00)[-0.999];
	 NEURAL_HAM_SHORT(-1.00)[-1.000];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 MLMMJ_DEST(0.00)[freebsd-net];
	 FROM_EQ_ENVFROM(0.00)[];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 R_DKIM_NA(0.00)[];
	 ASN(0.00)[asn:61157, ipnet:2a00:e10:2800::/38, country:DE];
	 MIME_TRACE(0.00)[0:+];
	 MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

Hello,

the following real-world proglem urged me to allow UDP connections from 
LAN to any.
STUN is used to establish a fictious UDP connection to the connecting 
peer on a specific port, to drill the state-hole.

Therefore, I have these translation rules added before the general 
(non-"static-port" <- the NAT UDP-traversal key) translation rules
(translation is a first-match-wins):

nat on $INTERLINK_IF4 inet proto tcp from <cml_lansrc-approvedrtc> to 
<wknfriendly_cmlapproved-stun> port { 3478 5349 } -> $WANCMLnat static-port
nat on $INTERLINK_IF4 inet proto udp from <cml_lansrc-approvedrtc> to ! 
($INTERLINK_IF4:0:network) port >= 1024 -> $WANCMLnat static-port


The corresponding filter rules looks like this for my example:

pass in quick on $CML_IF inet proto { tcp udp } from 
<cml_lansrc-approvedrtc> to { <wknfriendly_cmlapproved-stun> 
<wknfriendly_cmlapproved-turn> } port { 3478 5349 } tag INTERLINK-op
pass in quick on $CML_IF inet proto udp from <cml_lansrc-approvedrtc> to 
<wknfriendly_cmlapproved-turn> port >= 49152 tag INTERLINK-op
pass in quick on $CML_IF inet proto udp from <cml_lansrc-approvedrtc> 
port > 1023 to any port >= 1023 tag INTERLINK-op

(actually "any" reads "! <_directnetaddrs-auto>", but it's of no matter 
to this topic and just more confusing in case...)


My problem is, I have to generously add any potential LAN client to 
<cml_lansrc-approvedrtc>, which I'd like to avoid (especially for the 
any-destination rule - last one above).

One way to avoid this was if I could use something like a "match" action 
in combination with what state option "overload" provides:
Do something on rule hit - filling table in this case, which could look 
like this:

\<Non-existing rule syntax\>
match in record-srcip on $IF inet proto { tcp udp } from $IF to 
<wknfriendly_cmlapproved-stun> port  3478 table <cml_lansrc-approvedrtc>
\</Non-existing rule syntax\>

This way, the permission to connect with global IP (and orginating 
src-port) to any UDP destination is only allowed for clients, which have 
previously talked to one of our well known and approved STUN servers.

Any idea if there's already something in pf(4) which could provide a 
similar solution?
"overload" only is available for |max-src-conn and |||max-src-conn-rate, 
which in turn is for TCP only.||

||
||

||Thanks,||

||-harry
||