pf: extra route lookup in pf_route(6)()
ClosedPublic
Actions

Authored by kp on Nov 27 2024, 4:42 PM.

Details

Reviewers

None

Group Reviewers

pfsense
network

Commits

rGea9113be3f19: pf: extra route lookup in pf_route(6)()

Summary

In the NAT64 case we use pf_route(6)() to emit the translated packet. This
requires a new route lookup, so perform this, but only in the NAT64/NAT46 case.
Update the destination sockaddr to send packets to the gateway if appropriate.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 60822
Build 57706: arc lint + arc unit

Event Timeline

kp created this revision.Nov 27 2024, 4:42 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptNov 27 2024, 4:42 PM

kp requested review of this revision.Nov 27 2024, 4:42 PM

Harbormaster completed remote builds in B60822: Diff 147047.Nov 27 2024, 4:42 PM

kp added a parent revision: D47787: pf: fix state export in the face of NAT64.Nov 27 2024, 4:42 PM

kp added a child revision: D47789: pf: support nat64 for SCTP.

vegeta_tuxpowered.net added inline comments.Nov 27 2024, 5:21 PM

sys/netpfil/pf/pf.c
8740	Can you give an example of a rule which would match this? It seems just a step away from providing `route-to` rules without forcing interface.

kp added inline comments.Nov 28 2024, 7:56 AM

sys/netpfil/pf/pf.c
8740	That'd be a nat64 rule, such as `pass in on $LAN inet6 from any to 64:ff9b::/96 af-to inet from ($WAN)`. I deliberately limited this lookup to only the nat64 case (so pd->af != pd->naf) to not affect existing rules. We could certainly look at making route-to do a routing lookup outside of that scenario, but I'm not sure what the point of that would be. route-to is intended to let you overrule the normal routing lookup, so if you want the normal routing lookup just don't use it?

vegeta_tuxpowered.net added inline comments.Nov 28 2024, 9:23 AM

sys/netpfil/pf/pf.c
8740	That'd be a nat64 rule, such as `pass in on $LAN inet6 from any to 64:ff9b::/96 af-to inet from ($WAN)`. I've missed the fact that you use `pf_route()` to emit AF-NAT'ed packets. Is this what OpenBSD does? I can't see it, but I have the latest code checkout, is it something they did while developing AF-NAT?

kp added inline comments.Nov 28 2024, 9:33 AM

sys/netpfil/pf/pf.c
8740	It's what they did in the initial versions, yes. It looks like they migrated to ip6_output/ip6_forward at some point after that. That's what the latest version does. My plan is to stick close-ish to the code as it's being imported. That'll make imports of follow-on patches easier. At some point we'll get to whatever patch they have to migrate over and follow that too.