The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=97a74f46162139e360d58c924586b615828b471b
commit 97a74f46162139e360d58c924586b615828b471b
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-04-04 16:11:27 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-04-09 08:18:20 +0000
pfctl: fix no nat / no rdr rules
In aeddee83341 the nat rule parsing was significantly reworked,
unintentionally
breaking no nat / no rdr rules. The option to not have a -> ... redirspec
was
omitted.
Add trivial test cases to catch such issues in the future.
Reported by: Thomas Pasqualini <thomas.pasqual...@orange.com>
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D49665
---
sbin/pfctl/parse.y | 3 ++-
sbin/pfctl/tests/files/pf1065.in | 1 +
sbin/pfctl/tests/files/pf1065.ok | 1 +
sbin/pfctl/tests/files/pf1066.in | 1 +
sbin/pfctl/tests/files/pf1066.ok | 1 +
sbin/pfctl/tests/pfctl_test_list.inc | 2 ++
6 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 1362ae43428c..8c01da9e6220 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -4559,7 +4559,8 @@ port_redirspec : no_port_redirspec;
}
/* Redirection with an arrow and an optional port: FreeBSD NAT rules */
-nat_redirspec : ARROW port_redirspec {
+nat_redirspec : /* empty */ { $$ = NULL; }
+ | ARROW port_redirspec {
$$ = $2;
}
;
diff --git a/sbin/pfctl/tests/files/pf1065.in b/sbin/pfctl/tests/files/pf1065.in
new file mode 100644
index 000000000000..690045befee6
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1065.in
@@ -0,0 +1 @@
+no nat on vtnet0 proto tcp from 2001:db8::1 to 2001:db8::2
diff --git a/sbin/pfctl/tests/files/pf1065.ok b/sbin/pfctl/tests/files/pf1065.ok
new file mode 100644
index 000000000000..651a2fa0ae09
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1065.ok
@@ -0,0 +1 @@
+no nat on vtnet0 inet6 proto tcp from 2001:db8::1 to 2001:db8::2
diff --git a/sbin/pfctl/tests/files/pf1066.in b/sbin/pfctl/tests/files/pf1066.in
new file mode 100644
index 000000000000..e81461c470ab
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1066.in
@@ -0,0 +1 @@
+no rdr on vtnet0 proto tcp from 2001:db8::1 to 2001:db8::2
diff --git a/sbin/pfctl/tests/files/pf1066.ok b/sbin/pfctl/tests/files/pf1066.ok
new file mode 100644
index 000000000000..5ff596fa0158
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1066.ok
@@ -0,0 +1 @@
+no rdr on vtnet0 inet6 proto tcp from 2001:db8::1 to 2001:db8::2
diff --git a/sbin/pfctl/tests/pfctl_test_list.inc
b/sbin/pfctl/tests/pfctl_test_list.inc
index c6329b978a21..6a8d76390bd6 100644
--- a/sbin/pfctl/tests/pfctl_test_list.inc
+++ b/sbin/pfctl/tests/pfctl_test_list.inc
@@ -173,3 +173,5 @@ PFCTL_TEST_IFACE(1061, "Interface translation: IPv6 rule,
interface without brac
PFCTL_TEST_IFACE(1062, "Interface translation: IPv6 rule, interface without
brackets is translated, extra host, round-robin is applied")
PFCTL_TEST_IFACE(1063, "Interface translation: IPv6 rule, interface with
brackets is not translated, round-robin is applied")
PFCTL_TEST_IFACE(1064, "Interface translation: IPv6 rule, interface with
brackets is not translated, extra host, round robin is applied")
+PFCTL_TEST(1065, "no nat")
+PFCTL_TEST(1066, "no rdr")
