Re: pf doesn't rewrite source address for the icmp errors with rdr-to

Wed, 23 Feb 2011 04:52:53 -0800 

On Thu, Feb 17, 2011 at 14:00 +0100, Mike Belopuhov wrote:
> in the simple setup, like the one described in the pr 6564,
> pf won't rewrite source address for the icmp errors (like
> destination unreachable) when doing rdr-to.
> 
> this diff fixes issue for me and a pr originator.  comments?
> do we want to put it into 4.9?
> 

hi, i'm your friendly reminder that w/o this diff pf will be sending
out untranslated icmp error packets to the interwebs and anything can
happen!  save a kitten, okay a diff!

> Index: pf.c
> ===================================================================
> RCS file: /home/cvs/src/sys/net/pf.c,v
> retrieving revision 1.726
> diff -u -p -r1.726 pf.c
> --- pf.c      14 Feb 2011 11:01:36 -0000      1.726
> +++ pf.c      17 Feb 2011 11:54:53 -0000
> @@ -4498,8 +4498,7 @@ pf_test_state_icmp(struct pf_state **sta
>                                   &nk->addr[pd2.didx], pd2.af) ||
>                                   nk->port[pd2.didx] != th.th_dport)
>                                       pf_change_icmp(pd2.dst, &th.th_dport,
> -                                         NULL, /* XXX Inbound NAT? */
> -                                         &nk->addr[pd2.didx],
> +                                         saddr, &nk->addr[pd2.didx],
>                                           nk->port[pd2.didx], NULL,
>                                           pd2.ip_sum, icmpsum,
>                                           pd->ip_sum, 0, pd2.af);
> @@ -4576,8 +4575,7 @@ pf_test_state_icmp(struct pf_state **sta
>                                   &nk->addr[pd2.didx], pd2.af) ||
>                                   nk->port[pd2.didx] != uh.uh_dport)
>                                       pf_change_icmp(pd2.dst, &uh.uh_dport,
> -                                         NULL, /* XXX Inbound NAT? */
> -                                         &nk->addr[pd2.didx],
> +                                         saddr, &nk->addr[pd2.didx],
>                                           nk->port[pd2.didx], &uh.uh_sum,
>                                           pd2.ip_sum, icmpsum,
>                                           pd->ip_sum, 1, pd2.af);
> @@ -4653,7 +4651,7 @@ pf_test_state_icmp(struct pf_state **sta
>  
>                               if (PF_ANEQ(pd2.dst,
>                                   &nk->addr[pd2.didx], pd2.af))
> -                                       pf_change_icmp(pd2.dst, NULL, NULL,
> +                                       pf_change_icmp(pd2.dst, NULL, saddr,
>                                           &nk->addr[pd2.didx], 0, NULL,
>                                           pd2.ip_sum, icmpsum,
>                                           pd->ip_sum, 0, AF_INET);
> @@ -4728,7 +4726,7 @@ pf_test_state_icmp(struct pf_state **sta
>  
>                               if (PF_ANEQ(pd2.dst,
>                                   &nk->addr[pd2.didx], pd2.af))
> -                                     pf_change_icmp(pd2.dst, NULL, NULL,
> +                                     pf_change_icmp(pd2.dst, NULL, saddr,
>                                           &nk->addr[pd2.didx], 0, NULL,
>                                           pd2.ip_sum, icmpsum,
>                                           pd->ip_sum, 0, AF_INET6);
> @@ -4774,8 +4772,7 @@ pf_test_state_icmp(struct pf_state **sta
>  
>                               if (PF_ANEQ(pd2.dst,
>                                   &nk->addr[pd2.didx], pd2.af))
> -                                     pf_change_icmp(pd2.src, NULL,
> -                                         NULL, /* XXX Inbound NAT? */
> +                                     pf_change_icmp(pd2.dst, NULL, saddr,
>                                           &nk->addr[pd2.didx], 0, NULL,
>                                           pd2.ip_sum, icmpsum,
>                                           pd->ip_sum, 0, pd2.af);

Reply via email to