Page MenuHomeFreeBSD
Differential D49095

pf: cope with IPv6 gateways for an IPv4 route in nat64
ClosedPublic
Actions

Authored by kp on Feb 21 2025, 4:33 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Feb 8, 12:21 PM
Unknown Object (File)
Sun, Feb 8, 7:39 AM
Unknown Object (File)
Sun, Feb 8, 4:11 AM
Unknown Object (File)
Fri, Jan 30, 4:08 PM
Unknown Object (File)
Fri, Jan 16, 3:33 PM
Unknown Object (File)
Fri, Jan 16, 12:07 PM
Unknown Object (File)
Dec 13 2025, 10:10 PM
Unknown Object (File)
Dec 6 2025, 12:23 AM
View All 65 Files
Subscribers
farrokhi
glebius
imp
ivy
melifaro
vegeta_tuxpowered.net
zlei

Details

Reviewers
zlei
Group Reviewers
network
pfsense
Commits
rG41265f65a549: pf: cope with IPv6 gateways for an IPv4 route in nat64
Summary

It's possible for an IPv4 next hop to be specified as an IPv6 address. This
broke pf's route lookup in pf_route(), which is required for nat64.

Handle this case just like ip_tryforward(): use the struct sockaddr from the
struct nhop_object, and mark a struct route to indicate if_output() has to use
the gateway.

Add a test case for this.

PR: 284946
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Feb 21 2025, 4:33 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptFeb 21 2025, 4:33 PM
kp requested review of this revision.Feb 21 2025, 4:33 PM
Harbormaster completed remote builds in B62565: Diff 151301.Feb 21 2025, 4:33 PM
kp added a comment.Feb 21 2025, 6:44 PM

While this does fix this test case it seems to break others. I’ll debug and update.

kp updated this revision to Diff 151398.Feb 24 2025, 12:37 PM

fixed version
(Keep rt_addrs for !nat64, use ip_dst for nat64 without gateway)

Harbormaster completed remote builds in B62614: Diff 151398.Feb 24 2025, 12:37 PM
zlei accepted this revision as: zlei.Feb 24 2025, 2:24 PM
zlei added a subscriber: zlei.

I have not tested this yet, the changed part of pf_route() and the new test look good to me.

This revision is now accepted and ready to land.Feb 24 2025, 2:24 PM
ivy added a subscriber: ivy.Feb 25 2025, 2:03 AM
Closed by commit rG41265f65a549: pf: cope with IPv6 gateways for an IPv4 route in nat64 (authored by kp). · Explain WhyFeb 25 2025, 10:04 AM
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG41265f65a549: pf: cope with IPv6 gateways for an IPv4 route in nat64.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
40 lines
tests/
sys/
netpfil/
pf/
62 lines

Diff 151453

View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/nat64.sh

Loading...