Date: Tue, 2 Aug 2005 13:51:15 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org, Boris Polevoy <vapcom@mail.ru> Subject: Re: PF rdr bitmask BUG Message-ID: <200508021351.22789.max@love2party.net> In-Reply-To: <E1DzuSI-0000Lt-00.vapcom-mail-ru@f41.mail.ru> References: <E1DzuSI-0000Lt-00.vapcom-mail-ru@f41.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart4278676.AOHhZT7JP0
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Tuesday 02 August 2005 12:57, Boris Polevoy wrote:
> Hello All!
>
> I have some problem with rdr rule in pf.
>
> Test configuration:
>
> +---------+ +---------+ +---------+
>
> |client |192.168.3.10/24 |firewall |10.0.0.1/24 |server |
> | fxp0+----------------->+fxp0 fxp1+------------------>+fxp0 |
> |
> | | 192.168.3.2/24| | 10.0.0.2/24| |
>
> +---------+ 192.168.3.3/24+---------+ 10.0.0.3/32+---------+
>
> client and firewall boxes under FreeBSD 5.4-RELEASE, server under FreeBSD
> 4.7-RELEASE. On firewall interface fxp0 have two aliases: 192.168.3.2/24
> 192.168.3.3/24, on server box fxp0 have aliases 10.0.0.2/24, 10.0.0.3/32
> for test redirection.
>
> Rules in pf on firewall:
> rdr on fxp0 inet from any to 192.168.3.0/24 -> 10.0.0.0/24 bitmask
> pass all
>
> Test command on client:
> ping -c4 192.168.3.2
>
> Ping do not work, packets from firewall go to wrong addresses.
>
> I have add log print in pf code in function pf.c/pf_map_addr():
>
> case PF_POOL_BITMASK:
> #define QUAD_ADDR(_addr) \
> ((uint8_t *) &(_addr))[0], ((uint8_t *) &(_addr))[1], \
> ((uint8_t *) &(_addr))[2], ((uint8_t *) &(_addr))[3]
>
> printf("raddr:<%u.%u.%u.%u> rmask:<%u.%u.%u.%u> saddr:<%u.%u.%u.%u>\n=
",
> QUAD_ADDR(raddr->v4), QUAD_ADDR(rmask->v4),
> QUAD_ADDR(saddr->v4)); PF_POOLMASK(naddr, raddr, rmask, saddr, af);
> printf("naddr:<%u.%u.%u.%u> \n", QUAD_ADDR(naddr->v4));
> break;
>
> Log output show that _naddr_ after translation is 10.0.0.10, but I think =
it
> must be 10.0.0.2.
>
> It seems wrong call of pf_map_addr() in pf_get_translation(),
> instead destinations address used source address:
> case PF_RDR:
> if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
> return (NULL);
>
> It must be vvvvv
> if (pf_map_addr(pd->af, r, daddr, naddr, NULL, sn))
> return (NULL);
>
> It bug or not?
=46rom a quick first look your analysis seems to be correct - according to=
=20
pf.conf(5) bitmask should use the destination address for rdr. However, th=
e=20
proposed fix will not work as it breaks (at least) the sticky address optio=
n.
Maybe it's easiest to fix the host part in pf_get_translation after the=20
pf_map_addr call? This would require some amount of code duplication,=20
though.
I will be looking for a better fix during/after the weekend.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart4278676.AOHhZT7JP0
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
iD8DBQBC7146XyyEoT62BG0RAnN9AJ4434ClmYYK6GIsrRDoj5fXzumV2gCfQYgb
vYMZ3ktdfjaGzh64ZCM29ZQ=
=oKBW
-----END PGP SIGNATURE-----
--nextPart4278676.AOHhZT7JP0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508021351.22789.max>