CVSROOT: /cvs
Module name: src
Changes by: clau...@cvs.openbsd.org 2009/10/06 15:21:48
Modified files:
sys/net : pf.c pfvar.h
sys/netinet : ip_output.c
sys/netinet6 : ip6_forward.c ip6_output.c
sys/sys : mbuf.h
Log message:
Redo the route lookup in the output (and IPv6 forwarding) path if the
destination of a packet was changed by pf. This allows for some evil
games with rdr-to or nat-to but is mostly needed for better rdomain/rtable
support. This is a first step and more work and cleanup is needed.
Here a list of what works and what does not (needs a patched pfctl):
pass out rdr-to:
from local rdr-to local addr works (if state tracking on lo0 is done)
from remote rdr-to local addr does NOT work
from local rdr-to remote works
from remote rdr-to remote works
pass in nat-to:
from remote nat-to local addr does NOT work
from remote nat-to non-local addr works
non-local is an IP that is routed to the FW but is not assigned on the FW.
The non working cases need some magic to correctly rewrite the incomming
packet since the rewriting would happen outbound which is too late.
"time to get it in" deraadt@
