Re: pf af-to forward

Wed, 23 Nov 2016 08:38:03 -0800 

On Mon, Nov 21, 2016 at 07:15:31PM +0100, Mike Belopuhov wrote:
> I'm surprised this works as I'm pretty sure it didn't way back when...

At least it does work with my regression tests.  There I test
forwarding, path MTU discovery and tracroute over a router with pf
af-to.  Protocols are ping, udp, tcp.  Translation is done from
inet to inet6 and vice versa.

Is someone using a real life af-to setup with OpenBSD-current and
wants to test it?  You need a recent checkout so that this patch
will apply.

bluhm

Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.1002
diff -u -p -r1.1002 pf.c
--- net/pf.c    23 Nov 2016 12:13:23 -0000      1.1002
+++ net/pf.c    23 Nov 2016 16:22:26 -0000
@@ -6881,10 +6881,16 @@ done:
                pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
                switch (pd.naf) {
                case AF_INET:
-                       ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0);
+                       if (pd.dir == PF_IN)
+                               ip_forward(pd.m, ifp, NULL, 1);
+                       else
+                               ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0);
                        break;
                case AF_INET6:
-                       ip6_output(pd.m, NULL, NULL, 0, NULL, NULL);
+                       if (pd.dir == PF_IN)
+                               ip6_forward(pd.m, NULL, 1);
+                       else
+                               ip6_output(pd.m, NULL, NULL, 0, NULL, NULL);
                        break;
                }
                pd.m = NULL;
Index: netinet/ip_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.286
diff -u -p -r1.286 ip_input.c
--- netinet/ip_input.c  23 Nov 2016 10:04:31 -0000      1.286
+++ netinet/ip_input.c  23 Nov 2016 14:28:21 -0000
@@ -129,7 +129,6 @@ static struct mbuf_queue    ipsend_mq;
 void   ip_ours(struct mbuf *);
 int    ip_dooptions(struct mbuf *, struct ifnet *);
 int    in_ouraddr(struct mbuf *, struct ifnet *, struct rtentry **);
-void   ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int);
 #ifdef IPSEC
 int    ip_input_ipsec_fwd_check(struct mbuf *, int);
 int    ip_input_ipsec_ours_check(struct mbuf *, int);
Index: netinet/ip_var.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_var.h,v
retrieving revision 1.63
diff -u -p -r1.63 ip_var.h
--- netinet/ip_var.h    14 Nov 2016 03:51:53 -0000      1.63
+++ netinet/ip_var.h    23 Nov 2016 14:28:17 -0000
@@ -249,6 +249,7 @@ void         ip_savecontrol(struct inpcb *, str
            struct mbuf *);
 void    ipintr(void);
 void    ipv4_input(struct mbuf *);
+void    ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int);
 int     rip_ctloutput(int, struct socket *, int, int, struct mbuf **);
 void    rip_init(void);
 void    rip_input(struct mbuf *, ...);

Reply via email to