Differential D49665

pfctl: fix no nat / no rdr rules
ClosedPublic
Actions

Authored by kp on Apr 4 2025, 4:18 PM.

Details

Reviewers

vegeta_tuxpowered.net

Group Reviewers

network

Commits

rG97a74f461621: pfctl: fix no nat / no rdr rules

Summary

In aeddee83341 the nat rule parsing was significantly reworked, unintentionally
breaking no nat / no rdr rules. The option to not have a -> ... redirspec was
omitted.

Add trivial test cases to catch such issues in the future.

Reported by: Thomas Pasqualini <thomas.pasqualini@orange.com>
Sponsored by: Orange Business Services

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Apr 4 2025, 4:18 PM

Herald added a subscriber: imp. · View Herald TranscriptApr 4 2025, 4:18 PM

kp requested review of this revision.Apr 4 2025, 4:18 PM

Harbormaster completed remote builds in B63324: Diff 153153.Apr 4 2025, 4:18 PM

guest-patmaddox added a subscriber: guest-patmaddox.Apr 4 2025, 6:37 PM

vegeta_tuxpowered.net added inline comments.Apr 7 2025, 1:14 PM

sbin/pfctl/tests/pfctl_test_list.inc
177	This does not really describe what is tested. Maybe something like "no {nat,rdr} rules have no ARROW port_redirspec"?

kp added inline comments.Apr 7 2025, 1:20 PM

sbin/pfctl/tests/pfctl_test_list.inc
177	I'd argue that it does describe the test, in that we're ensuring that 'no nat' or 'no rdr' rules can be set. Yes, they don't include ARROW port_redirspec, but that's only part of what needs to be correct. (We can't have ARROW port_redirspec, or the validation code objects, and without this patch the parser objects if the ARROW port_redirspec isn't present.)
177	I'm not entirely sure how to describe all of that in a one line test description.