Page MenuHomeFreeBSD

pf: extra route lookup in pf_route(6)()
Needs ReviewPublic

Authored by kp on Wed, Nov 27, 4:42 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 7, 5:28 PM
Unknown Object (File)
Wed, Dec 4, 7:46 PM
Unknown Object (File)
Sun, Dec 1, 3:57 PM

Details

Reviewers
None
Group Reviewers
pfsense
network
Summary

In the NAT64 case we use pf_route(6)() to emit the translated packet. This
requires a new route lookup, so perform this, but only in the NAT64/NAT46 case.
Update the destination sockaddr to send packets to the gateway if appropriate.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 60822
Build 57706: arc lint + arc unit

Event Timeline

kp requested review of this revision.Wed, Nov 27, 4:42 PM
sys/netpfil/pf/pf.c
8740

Can you give an example of a rule which would match this? It seems just a step away from providing route-to rules without forcing interface.

sys/netpfil/pf/pf.c
8740

That'd be a nat64 rule, such as pass in on $LAN inet6 from any to 64:ff9b::/96 af-to inet from ($WAN).

I deliberately limited this lookup to only the nat64 case (so pd->af != pd->naf) to not affect existing rules. We could certainly look at making route-to do a routing lookup outside of that scenario, but I'm not sure what the point of that would be. route-to is intended to let you overrule the normal routing lookup, so if you want the normal routing lookup just don't use it?

sys/netpfil/pf/pf.c
8740

That'd be a nat64 rule, such as pass in on $LAN inet6 from any to 64:ff9b::/96 af-to inet from ($WAN).

I've missed the fact that you use pf_route() to emit AF-NAT'ed packets. Is this what OpenBSD does? I can't see it, but I have the latest code checkout, is it something they did while developing AF-NAT?

sys/netpfil/pf/pf.c
8740

It's what they did in the initial versions, yes. It looks like they migrated to ip6_output/ip6_forward at some point after that. That's what the latest version does.

My plan is to stick close-ish to the code as it's being imported. That'll make imports of follow-on patches easier. At some point we'll get to whatever patch they have to migrate over and follow that too.