D52838.id163274.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D52838.id163274.diff
View Options

	diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
	--- a/sys/netpfil/pf/pf.c
	+++ b/sys/netpfil/pf/pf.c
	@@ -5965,37 +5965,42 @@
	ctx.nat_pool = &(ctx.nr->rdr);
	}

	- ruleset = &pf_main_ruleset;
	- rv = pf_match_rule(&ctx, ruleset, match_rules);
	- if (rv == PF_TEST_FAIL) {
	- /*
	- * Reason has been set in pf_match_rule() already.
	- */
	- goto cleanup;
	- }
	-
	- r = ctx.rm; / matching rule */
	- ctx.a = ctx.am; / rule that defines an anchor containing 'r' */
	- ruleset = ctx.rsm; / ruleset of the anchor defined by the rule 'a' */
	- ctx.aruleset = ctx.arsm; /* ruleset of the 'a' rule itself */
	+ if (ctx.nr && ctx.nr->natpass) {
	+ r = ctx.nr;
	+ ruleset = *ctx.rsm;
	+ } else {
	+ ruleset = &pf_main_ruleset;
	+ rv = pf_match_rule(&ctx, ruleset, match_rules);
	+ if (rv == PF_TEST_FAIL) {
	+ /*
	+ * Reason has been set in pf_match_rule() already.
	+ */
	+ goto cleanup;
	+ }

	- REASON_SET(&ctx.reason, PFRES_MATCH);
	+ r = ctx.rm; / matching rule */
	+ ctx.a = ctx.am; / rule that defines an anchor containing 'r' */
	+ ruleset = ctx.rsm; / ruleset of the anchor defined by the rule 'a' */
	+ ctx.aruleset = ctx.arsm; /* ruleset of the 'a' rule itself */

	- /* apply actions for last matching pass/block rule */
	- pf_rule_to_actions(r, &pd->act);
	- transerror = pf_rule_apply_nat(&ctx, r);
	- switch (transerror) {
	- case PFRES_MATCH:
	- /* Translation action found in rule and applied successfully */
	- case PFRES_MAX:
	- /* No translation action found in rule */
	- break;
	- default:
	- /* Translation action found in rule but failed to apply */
	- REASON_SET(&ctx.reason, transerror);
	- goto cleanup;
	+ /* apply actions for last matching pass/block rule */
	+ pf_rule_to_actions(r, &pd->act);
	+ transerror = pf_rule_apply_nat(&ctx, r);
	+ switch (transerror) {
	+ case PFRES_MATCH:
	+ /* Translation action found in rule and applied successfully */
	+ case PFRES_MAX:
	+ /* No translation action found in rule */
	+ break;
	+ default:
	+ /* Translation action found in rule but failed to apply */
	+ REASON_SET(&ctx.reason, transerror);
	+ goto cleanup;
	+ }
	}

	+ REASON_SET(&ctx.reason, PFRES_MATCH);
	+
	if (r->log) {
	if (ctx.rewrite)
	m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
	diff --git a/tests/sys/netpfil/pf/nat.sh b/tests/sys/netpfil/pf/nat.sh
	--- a/tests/sys/netpfil/pf/nat.sh
	+++ b/tests/sys/netpfil/pf/nat.sh
	@@ -838,7 +838,7 @@
	jexec gw dnctl pipe 1 config delay 100 mask src-ip 0xffffff00
	jexec gw pfctl -e
	pft_set_rules gw \
	- "nat pass on ${epair_srv}b inet from 192.0.2.0/24 to any -> (${epair_srv}b)" \
	+ "nat on ${epair_srv}b inet from 192.0.2.0/24 to any -> (${epair_srv}b)" \
	"pass out dnpipe 1"

	atf_check -s exit:0 -o ignore \
	diff --git a/tests/sys/netpfil/pf/rdr.sh b/tests/sys/netpfil/pf/rdr.sh
	--- a/tests/sys/netpfil/pf/rdr.sh
	+++ b/tests/sys/netpfil/pf/rdr.sh
	@@ -281,8 +281,66 @@
	pft_cleanup
	}

	+atf_test_case "natpass" "cleanup"
	+natpass_head()
	+{
	+ atf_set descr 'Test rdr pass'
	+ atf_set require.user root
	+}
	+
	+natpass_body()
	+{
	+ pft_init
	+
	+ epair=$(vnet_mkepair)
	+ epair_link=$(vnet_mkepair)
	+
	+ ifconfig ${epair}a 192.0.2.2/24 up
	+
	+ vnet_mkjail alcatraz ${epair}b ${epair_link}a
	+ jexec alcatraz ifconfig lo0 inet 127.0.0.1/8 up
	+ jexec alcatraz ifconfig ${epair}b inet 192.0.2.1/24 up
	+ jexec alcatraz ifconfig ${epair_link}a 198.51.100.1/24 up
	+ jexec alcatraz sysctl net.inet.ip.forwarding=1
	+
	+ vnet_mkjail srv ${epair_link}b
	+ jexec srv ifconfig ${epair_link}b inet 198.51.100.2/24 up
	+ jexec srv route add default 198.51.100.1
	+
	+ # Sanity check
	+ atf_check -s exit:0 -o ignore \
	+ ping -c 1 192.0.2.1
	+ atf_check -s exit:0 -o ignore \
	+ jexec alcatraz ping -c 1 198.51.100.2
	+
	+ jexec alcatraz pfctl -e
	+ pft_set_rules alcatraz \
	+ "rdr pass on ${epair}b proto udp from any to 192.0.2.1 port 80 -> 198.51.100.2" \
	+ "nat on ${epair}b inet from 198.51.100.0/24 to any -> 192.0.2.1" \
	+ "block in proto udp from any to any port 80" \
	+ "pass in proto icmp"
	+
	+ echo "foo" \| jexec srv nc -u -l 80 &
	+ sleep 1 # Give the above a moment to start
	+
	+ out=$(echo 1 \| nc -u -w 1 192.0.2.1 80)
	+ echo "out ${out}"
	+ if [ "${out}" != "foo" ];
	+ then
	+ jexec alcatraz pfctl -sn -vv
	+ jexec alcatraz pfctl -ss -vv
	+ atf_fail "rdr failed"
	+ fi
	+}
	+
	+natpass_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	atf_init_test_cases()
	{
	+ atf_add_test_case "natpass"
	atf_add_test_case "tcp_v6_compat"
	atf_add_test_case "tcp_v6_pass"
	atf_add_test_case "srcport_compat"

File Metadata

Mime Type: text/plain
Expires: Sat, Oct 11, 2:46 AM (16 h, 5 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 23553528
Default Alt Text: D52838.id163274.diff (4 KB)

D52838.id163274.diffNo OneTemporaryActions

D52838.id163274.diffView Options

File Metadata

Event Timeline

D52838.id163274.diff
No OneTemporary
Actions

D52838.id163274.diff
View Options