PF binat rule issue - feature or bug?

George Davidovich freebsd at optimis.net
Fri Dec 4 22:56:51 UTC 2009


On Fri, Dec 04, 2009 at 10:41:20AM -0600, Greg Barniskis wrote:
> Using 7.2-RELEASE-p4 i386 with GENERIC kernel, I've found (the hard way) 
> that if I have a pf.conf rule like
> 
> nat on $ext_if proto { tcp udp icmp } from $my_subnet \
>    to any -> some.public.ip.num
> 
> then pfctl will perform the expected expansion of the listed protocols 
> into three separate NAT rules.
> 
> However, if I have a rule like
> 
> binat on $ext_if proto { tcp udp icmp } from $server_dmz_ip \
>    to any -> $server_public_ip
> 
> then I will /only/ get one NAT rule, for TCP.
> 
> Then things like NTP, DNS and ping will fail, but the filtering rules 
> that permit such traffic will increment their byte, packet and state 
> counters like PF is working just fine (and I suppose in some sense that 
> the filtering part is). But only if I explicitly declare in pf.conf a 
> separate binat rule for each desired protocol, instead of listing them, 
> will things work as needed.
> 
> Feature or bug? If the former, it is not well documented that I could 
> see. I expected that a list of protocols for a binat rule would just 
> work, and pfctl certainly didn't mark it as bad syntax. If a bug, is 
> this a FreeBSD bug or OpenBSD?

The BNF grammar in pfconf(5) suggests that binat rules don't take a
list.  Summarised:

nat-rule   = ... "proto" ( proto-name | proto-number | "{" proto-list "}" )

binat-rule = ... proto ( proto-name | proto-number )  

-- 
George


More information about the freebsd-questions mailing list