[Bug 288577] pf: pass out ... rdr-to changes source address instead of destination address
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 30 Oct 2025 17:45:35 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288577
--- Comment #3 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:
URL:
https://cgit.FreeBSD.org/src/commit/?id=646798b6783184fb194a2d97667e05895e00c358
commit 646798b6783184fb194a2d97667e05895e00c358
Author: Kajetan Staszkiewicz <ks@FreeBSD.org>
AuthorDate: 2025-10-01 13:51:46 +0000
Commit: Kajetan Staszkiewicz <ks@FreeBSD.org>
CommitDate: 2025-10-30 17:32:21 +0000
pf: Make nat-to and rdr-to work properly both on in and out rules
New-style address translation is done by nat-to and rdr-to actions on
normal match and pass rules. Those rules, when used without address
translation, can be specified without direction. But that allows users
to specify pre-routing nat and post-routing rdr. This case is not
handled properly and causes pre-routing nat to modify destination
address, as if it was a rdr rule, and post-routing rdr to modify source
address, as if it was a nat rule.
Ensure that nat-to action modifies source address and rdr-to destination
address no matter in which direction the rule is applied. The man page
for pf.conf already specifies that nat-to and rdr-to rules should be
limited to respective directions.
PR: 288577
Reviewed by: kp
MFC after: 3 days
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D53216
sys/netpfil/pf/pf_lb.c | 16 +++++++++++++--
tests/sys/netpfil/pf/nat.sh | 47 +++++++++++++++++++++++++++++++++++++++------
2 files changed, 55 insertions(+), 8 deletions(-)
--
You are receiving this mail because:
You are the assignee for the bug.