Re: system/6564: pf not nating(does not see) icmp4 port unreachable packets from machine behind pf

Thu, 17 Feb 2011 05:06:22 -0800 

The following reply was made to PR system/6564; it has been noted by GNATS.

From: Mike Belopuhov <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: system/6564: pf not nating(does not see) icmp4 port unreachable 
packets from machine behind pf
Date: Thu, 17 Feb 2011 12:57:43 +0100

 On Thu, Feb 17, 2011 at 12:51 +1100, [email protected] wrote:
 > pf rules:
 > match in on $int inet from $int_network_machine to any tag PASS
 > match out on $ext inet from $int_network_machine to any tag PASS nat-to $ext 
 > static-port
 > match in on $ext inet from any to $ext tag PASS rdr-to $int_network_machine
 > pass all flags S/SA keep state tagged PASS
 > tcpdump on $ext:
 > $int_network_machine > $some_external_machine: icmp: $ext udp port 
 > $any_unresponsive_port unreachable
 > pf does not see this packet as icmp
 > >How-To-Repeat:
 > send any udp packet to $ext in $any_unresponsive_port on $int_network_machine
 > tested on 47,48,49
 > >Fix:
 > 
 
 the problem here turnes out to be in the rdr part.  apparently
 icmp errors don't get it's source address properly rewritten.
 
 this fixes an issue for me.
 
 Index: pf.c
 ===================================================================
 RCS file: /home/cvs/src/sys/net/pf.c,v
 retrieving revision 1.726
 diff -u -p -r1.726 pf.c
 --- pf.c       14 Feb 2011 11:01:36 -0000      1.726
 +++ pf.c       17 Feb 2011 11:54:53 -0000
 @@ -4498,8 +4498,7 @@ pf_test_state_icmp(struct pf_state **sta
                                    &nk->addr[pd2.didx], pd2.af) ||
                                    nk->port[pd2.didx] != th.th_dport)
                                        pf_change_icmp(pd2.dst, &th.th_dport,
 -                                          NULL, /* XXX Inbound NAT? */
 -                                          &nk->addr[pd2.didx],
 +                                          saddr, &nk->addr[pd2.didx],
                                            nk->port[pd2.didx], NULL,
                                            pd2.ip_sum, icmpsum,
                                            pd->ip_sum, 0, pd2.af);
 @@ -4576,8 +4575,7 @@ pf_test_state_icmp(struct pf_state **sta
                                    &nk->addr[pd2.didx], pd2.af) ||
                                    nk->port[pd2.didx] != uh.uh_dport)
                                        pf_change_icmp(pd2.dst, &uh.uh_dport,
 -                                          NULL, /* XXX Inbound NAT? */
 -                                          &nk->addr[pd2.didx],
 +                                          saddr, &nk->addr[pd2.didx],
                                            nk->port[pd2.didx], &uh.uh_sum,
                                            pd2.ip_sum, icmpsum,
                                            pd->ip_sum, 1, pd2.af);
 @@ -4653,7 +4651,7 @@ pf_test_state_icmp(struct pf_state **sta
  
                                if (PF_ANEQ(pd2.dst,
                                    &nk->addr[pd2.didx], pd2.af))
 -                                       pf_change_icmp(pd2.dst, NULL, NULL,
 +                                       pf_change_icmp(pd2.dst, NULL, saddr,
                                            &nk->addr[pd2.didx], 0, NULL,
                                            pd2.ip_sum, icmpsum,
                                            pd->ip_sum, 0, AF_INET);
 @@ -4728,7 +4726,7 @@ pf_test_state_icmp(struct pf_state **sta
  
                                if (PF_ANEQ(pd2.dst,
                                    &nk->addr[pd2.didx], pd2.af))
 -                                      pf_change_icmp(pd2.dst, NULL, NULL,
 +                                      pf_change_icmp(pd2.dst, NULL, saddr,
                                            &nk->addr[pd2.didx], 0, NULL,
                                            pd2.ip_sum, icmpsum,
                                            pd->ip_sum, 0, AF_INET6);
 @@ -4774,8 +4772,7 @@ pf_test_state_icmp(struct pf_state **sta
  
                                if (PF_ANEQ(pd2.dst,
                                    &nk->addr[pd2.didx], pd2.af))
 -                                      pf_change_icmp(pd2.src, NULL,
 -                                          NULL, /* XXX Inbound NAT? */
 +                                      pf_change_icmp(pd2.dst, NULL, saddr,
                                            &nk->addr[pd2.didx], 0, NULL,
                                            pd2.ip_sum, icmpsum,
                                            pd->ip_sum, 0, pd2.af);

Reply via email to