Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 May 2016 22:24:06 +0300
From:      Max <maximos@als.nnov.ru>
To:        freebsd-pf@freebsd.org
Subject:   Bug 201519
Message-ID:  <deb597cf-0c92-3d77-38f6-a03120f7e3ad@als.nnov.ru>
next in thread | raw e-mail | index | archive | help 
Hello,

I have patched and tested "case IPPROTO_UDP".  It works. Other cases 
should work too I think.

It's against releng/10.3
--- sys/netpfil/pf/pf.c.orig    2016-05-21 17:57:29.420602000 +0300
+++ sys/netpfil/pf/pf.c 2016-05-21 18:01:09.119724000 +0300
@@ -4866,8 +4866,7 @@ pf_test_state_icmp(struct pf_state **sta
                                     &nk->addr[pd2.didx], pd2.af) ||
                                     nk->port[pd2.didx] != uh.uh_dport)
                                         pf_change_icmp(pd2.dst, 
&uh.uh_dport,
-                                           NULL, /* XXX Inbound NAT? */
- &nk->addr[pd2.didx],
+                                           saddr, &nk->addr[pd2.didx],
                                             nk->port[pd2.didx], &uh.uh_sum,
                                             pd2.ip_sum, icmpsum,
                                             pd->ip_sum, 1, pd2.af);



Before:

# tcpdump -vni em1 'vlan and src net 10.0.0.0/8'
tcpdump: WARNING: em1: no IPv4 address assigned
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 
65535 bytes

18:26:53.523646 IP (tos 0x0, ttl 63, id 36181, offset 0, flags [none], 
proto ICMP (1), length 56)
     10.1.0.3 > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 65501 
unreachable, length 36
         IP (tos 0x0, ttl 61, id 27788, offset 0, flags [none], proto 
UDP (17), length 150)
     AA.AA.AA.AA.53 > XX.XX.XX.XX.65501: [|domain]

18:26:53.523657 IP (tos 0x0, ttl 63, id 36182, offset 0, flags [none], 
proto ICMP (1), length 56)
     10.1.0.3 > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 51397 
unreachable, length 36
         IP (tos 0x0, ttl 61, id 27789, offset 0, flags [none], proto 
UDP (17), length 150)
     AA.AA.AA.AA.53 > XX.XX.XX.XX.51397: [|domain]

18:26:56.629648 IP (tos 0x0, ttl 63, id 36456, offset 0, flags [none], 
proto ICMP (1), length 56)
     10.1.0.3 > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 65254 
unreachable, length 36
         IP (tos 0x88, ttl 62, id 13875, offset 0, flags [none], proto 
UDP (17), length 137)
     CC.CC.CC.CC.53 > YY.YY.YY.YY.65254: [|domain]

18:27:27.746093 IP (tos 0x0, ttl 63, id 38864, offset 0, flags [none], 
proto ICMP (1), length 56)
     10.1.0.3 > BB.BB.BB.BB: ICMP XX.XX.XX.XX udp port 62079 
unreachable, length 36
         IP (tos 0x0, ttl 61, id 429, offset 0, flags [none], proto UDP 
(17), length 150)
     BB.BB.BB.BB.53 > XX.XX.XX.XX.62079: [|domain]

18:27:27.746104 IP (tos 0x0, ttl 63, id 38865, offset 0, flags [none], 
proto ICMP (1), length 56)
     10.1.0.3 > BB.BB.BB.BB: ICMP XX.XX.XX.XX udp port 51628 
unreachable, length 36
         IP (tos 0x0, ttl 61, id 428, offset 0, flags [none], proto UDP 
(17), length 150)
     BB.BB.BB.BB.53 > XX.XX.XX.XX.51628: [|domain]

18:29:19.805568 IP (tos 0x0, ttl 63, id 42754, offset 0, flags [none], 
proto ICMP (1), length 56)
     10.1.0.3 > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 52016 
unreachable, length 36
         IP (tos 0x88, ttl 62, id 13974, offset 0, flags [none], proto 
UDP (17), length 151)
     CC.CC.CC.CC.53 > YY.YY.YY.YY.52016: [|domain]



After:

# date ; tcpdump -vni em1 'vlan and src net 10.0.0.0/8' ; date
Sat May 21 18:40:08 MSK 2016
tcpdump: WARNING: em1: no IPv4 address assigned
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 
65535 bytes
^C
0 packets captured
80373 packets received by filter
0 packets dropped by kernel
Sat May 21 18:54:53 MSK 2016


# tcpdump -vni em1 'vlan and icmp[icmptype] = icmp-unreach'
tcpdump: WARNING: em1: no IPv4 address assigned
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 
65535 bytes
19:11:39.539336 IP (tos 0x0, ttl 63, id 46008, offset 0, flags [none], 
proto ICMP (1), length 56)
     YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 51264 
unreachable, length 36
         IP (tos 0x88, ttl 62, id 15144, offset 0, flags [none], proto 
UDP (17), length 463)
     BB.BB.BB.BB.53 > YY.YY.YY.YY.51264: [|domain]

19:11:40.063673 IP (tos 0x0, ttl 63, id 46031, offset 0, flags [none], 
proto ICMP (1), length 56)
     YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 54326 
unreachable, length 36
         IP (tos 0x88, ttl 62, id 15145, offset 0, flags [none], proto 
UDP (17), length 463)
     BB.BB.BB.BB.53 > YY.YY.YY.YY.54326: [|domain]

19:12:13.830491 IP (tos 0x0, ttl 63, id 47980, offset 0, flags [none], 
proto ICMP (1), length 56)
     XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 50234 
unreachable, length 36
         IP (tos 0x0, ttl 61, id 14958, offset 0, flags [none], proto 
UDP (17), length 152)
     AA.AA.AA.AA.53 > XX.XX.XX.XX.50234: [|domain]

19:12:13.830502 IP (tos 0x0, ttl 63, id 47981, offset 0, flags [none], 
proto ICMP (1), length 56)
     XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 56144 
unreachable, length 36
         IP (tos 0x0, ttl 61, id 14959, offset 0, flags [none], proto 
UDP (17), length 141)
     AA.AA.AA.AA.53 > XX.XX.XX.XX.56144: [|domain]

19:12:13.830512 IP (tos 0x0, ttl 63, id 47982, offset 0, flags [none], 
proto ICMP (1), length 56)
     XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 51648 
unreachable, length 36
         IP (tos 0x0, ttl 61, id 14960, offset 0, flags [none], proto 
UDP (17), length 152)
     AA.AA.AA.AA.53 > XX.XX.XX.XX.51648: [|domain]

19:13:01.643129 IP (tos 0x0, ttl 63, id 50328, offset 0, flags [none], 
proto ICMP (1), length 56)
     YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 57306 
unreachable, length 36
         IP (tos 0x88, ttl 62, id 15226, offset 0, flags [none], proto 
UDP (17), length 152)
     CC.CC.CC.CC.53 > YY.YY.YY.YY.57306: [|domain]

19:13:31.672915 IP (tos 0x0, ttl 63, id 51139, offset 0, flags [none], 
proto ICMP (1), length 56)
     YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 60908 
unreachable, length 36
         IP (tos 0x88, ttl 62, id 15253, offset 0, flags [none], proto 
UDP (17), length 154)
     CC.CC.CC.CC.53 > YY.YY.YY.YY.60908: [|domain]

19:13:32.115936 IP (tos 0x0, ttl 63, id 51186, offset 0, flags [none], 
proto ICMP (1), length 56)
     YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 54767 
unreachable, length 36
         IP (tos 0x88, ttl 62, id 15254, offset 0, flags [none], proto 
UDP (17), length 154)
     CC.CC.CC.CC.53 > YY.YY.YY.YY.54767: [|domain]

19:13:32.995098 IP (tos 0x0, ttl 63, id 51209, offset 0, flags [none], 
proto ICMP (1), length 56)
     YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 58573 
unreachable, length 36
         IP (tos 0x88, ttl 62, id 15258, offset 0, flags [none], proto 
UDP (17), length 149)
     BB.BB.BB.BB.53 > YY.YY.YY.YY.58573: [|domain]

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?deb597cf-0c92-3d77-38f6-a03120f7e3ad>