Date: Tue, 02 Aug 2005 14:57:06 +0400 From: Boris Polevoy <vapcom@mail.ru> To: freebsd-pf@freebsd.org Cc: mlaier@freebsd.org Subject: PF rdr bitmask BUG Message-ID: <E1DzuSI-0000Lt-00.vapcom-mail-ru@f41.mail.ru>
next in thread | raw e-mail | index | archive | help
Hello All!
I have some problem with rdr rule in pf.
Test configuration:
+---------+ +---------+ +---------+
|client |192.168.3.10/24 |firewall |10.0.0.1/24 |server |
| fxp0+----------------->+fxp0 fxp1+------------------>+fxp0 |
| | 192.168.3.2/24| | 10.0.0.2/24| |
+---------+ 192.168.3.3/24+---------+ 10.0.0.3/32+---------+
client and firewall boxes under FreeBSD 5.4-RELEASE, server under FreeBSD 4.7-RELEASE.
On firewall interface fxp0 have two aliases: 192.168.3.2/24 192.168.3.3/24,
on server box fxp0 have aliases 10.0.0.2/24, 10.0.0.3/32 for test redirection.
Rules in pf on firewall:
rdr on fxp0 inet from any to 192.168.3.0/24 -> 10.0.0.0/24 bitmask
pass all
Test command on client:
ping -c4 192.168.3.2
Ping do not work, packets from firewall go to wrong addresses.
I have add log print in pf code in function pf.c/pf_map_addr():
case PF_POOL_BITMASK:
#define QUAD_ADDR(_addr) \
((uint8_t *) &(_addr))[0], ((uint8_t *) &(_addr))[1], \
((uint8_t *) &(_addr))[2], ((uint8_t *) &(_addr))[3]
printf("raddr:<%u.%u.%u.%u> rmask:<%u.%u.%u.%u> saddr:<%u.%u.%u.%u>\n",
QUAD_ADDR(raddr->v4), QUAD_ADDR(rmask->v4), QUAD_ADDR(saddr->v4));
PF_POOLMASK(naddr, raddr, rmask, saddr, af);
printf("naddr:<%u.%u.%u.%u> \n", QUAD_ADDR(naddr->v4));
break;
Log output show that _naddr_ after translation is 10.0.0.10, but I think it
must be 10.0.0.2.
It seems wrong call of pf_map_addr() in pf_get_translation(),
instead destinations address used source address:
case PF_RDR:
if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
return (NULL);
It must be vvvvv
if (pf_map_addr(pd->af, r, daddr, naddr, NULL, sn))
return (NULL);
It bug or not?
With best regards
Boris Polevoy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1DzuSI-0000Lt-00.vapcom-mail-ru>