Page MenuHomeFreeBSD
Differential D31504

pf: always log nat rule and do it pre-rewrite
ClosedPublic
Actions

Authored by franco_opnsense.org on Aug 11 2021, 8:24 AM.
Tags
None
Referenced Files
F81613481: D31504.diff
Thu, Apr 18, 11:40 PM
Unknown Object (File)
Tue, Apr 9, 8:16 PM
Unknown Object (File)
Mar 14 2024, 8:58 AM
Unknown Object (File)
Mar 7 2024, 7:52 PM
Unknown Object (File)
Feb 11 2024, 4:30 PM
Unknown Object (File)
Feb 8 2024, 10:12 PM
Unknown Object (File)
Jan 23 2024, 11:37 PM
Unknown Object (File)
Jan 12 2024, 12:00 AM
View All 47 Files
Subscribers
farrokhi
imp
melifaro
Contributor Reviews (src)

Details

Reviewers
kp
Commits
rG8e496ea1df1f: pf: always log nat rule and do it pre-rewrite
Summary

PR: https://github.com/opnsense/core/issues/5005

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 41510
Build 38399: arc lint + arc unit

Event Timeline

franco_opnsense.org created this revision.Aug 11 2021, 8:24 AM
Herald added subscribers: Contributor Reviews (src), melifaro, farrokhi, imp. · View Herald TranscriptAug 11 2021, 8:24 AM
franco_opnsense.org requested review of this revision.Aug 11 2021, 8:24 AM
Harbormaster completed remote builds in B40985: Diff 93530.Aug 11 2021, 8:24 AM
franco_opnsense.org added a reviewer: kp.Aug 11 2021, 8:26 AM
kp added a comment.Aug 13 2021, 1:23 PM

Thanks for posting this here.

I've not lost track of this patch, but I've yet to find the time to dig into it in detail. It's still very much on my todo list.

kp added inline comments.Sep 7 2021, 8:06 PM
sys/netpfil/pf/pf.c
3569

Why are we adding a match count here? Do we want to count each NAT-ed packet twice in the match counter?

franco_opnsense.org added inline comments.Sep 8 2021, 1:00 PM
sys/netpfil/pf/pf.c
3569

Well, it's needed in the "rdr pass" case at least. I see your point about double-accounting. The code was copied to retain integrity, though REASON_SET is a strange macro with an intended side effect not making this easy. Let me try to propose a different approach.

franco_opnsense.org added a comment.Sep 8 2021, 1:03 PM

But to be fair both rules are matching accounting-wise unless we assume that only "pass" can account for "match".

franco_opnsense.org updated this revision to Diff 95148.Sep 14 2021, 12:04 PM

void REASON_SET by directly passing PFRES_MATCH

Harbormaster completed remote builds in B41510: Diff 95148.Sep 14 2021, 12:04 PM
franco_opnsense.org marked an inline comment as done.Sep 14 2021, 12:05 PM

Not sure about omitting the match on a NAT rule, but doing it inside the log code was definitely wrong.

kp added a comment.Sep 16 2021, 12:15 PM

(Not forgotten to this, but busy with eurobsd for the next few days)

This revision was not accepted when it landed; it landed in state Needs Review.Sep 18 2021, 1:51 PM
Closed by commit rG8e496ea1df1f: pf: always log nat rule and do it pre-rewrite (authored by franco_opnsense.org, committed by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG8e496ea1df1f: pf: always log nat rule and do it pre-rewrite.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
9 lines

Diff 95148

View Options

sys/netpfil/pf/pf.c

Loading...