Details

Reviewers

Commits

rG562648ad4145: pf: Make nat-to and rdr-to work properly both on in and out rules
rG646798b67831: pf: Make nat-to and rdr-to work properly both on in and out rules

Summary

New-style address translation is done by nat-to and rdr-to actions on
normal match and pass rules. Those rules, when used without address
translation, can be specified without direction. But that allows users
to specify pre-routing nat and post-routing rdr. This case is not
handled properly and causes pre-routing nat to modify destination
address, as if it was a rdr rule, and post-routing rdr to modify source
address, as if it was a nat rule.

Ensure that nat-to action modifies source address and rdr-to destination
address no matter in which direction the rule is applied. The man page
for pf.conf already specifies that nat-to and rdr-to rules should be
limited to respective directions.

PR: 288577
MFC after: 3 days
Sponsored by: InnoGames GmbH

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Oct 20 2025, 2:47 PM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptOct 20 2025, 2:47 PM

vegeta_tuxpowered.net requested review of this revision.Oct 20 2025, 2:47 PM

vegeta_tuxpowered.net edited the summary of this revision. (Show Details)

vegeta_tuxpowered.net added inline comments.Oct 20 2025, 2:50 PM

tests/sys/netpfil/pf/nat.sh
920	I'm unsure if we really need this test case. I have originally developed it when working on kernel side fix to ensure that NAT is properly applied on source address no matter on which direction the rule matters. But with pfctl forbidding loading such rules it can't be tested anymore. But the kernel code will accept such rule and handle it properly. Please advise :)

vegeta_tuxpowered.net updated this revision to Diff 164675.Oct 21 2025, 8:53 AM

Herald added a subscriber: ae. · View Herald TranscriptOct 21 2025, 8:53 AM

Restore the proper patch

vegeta_tuxpowered.net added inline comments.Oct 22 2025, 11:01 AM

tests/sys/netpfil/pf/nat.sh
920	Please disregard this comment. Apparently OpenBSD does support nat-to and rdr-to on both directions and clearly states that in man pf.conf. I will rework this patch.

Don't forbid address translation on non-usual direction, since OpenBSD allows it too. Enable the test for nat-to on inbound direction.

vegeta_tuxpowered.net edited the summary of this revision. (Show Details)Oct 22 2025, 3:19 PM

kp accepted this revision.Oct 29 2025, 10:17 AM

This revision is now accepted and ready to land.Oct 29 2025, 10:17 AM

Closed by commit rG646798b67831: pf: Make nat-to and rdr-to work properly both on in and out rules (authored by vegeta_tuxpowered.net). · Explain WhyOct 30 2025, 5:45 PM

This revision was automatically updated to reflect the committed changes.

vegeta_tuxpowered.net added a commit: rG646798b67831: pf: Make nat-to and rdr-to work properly both on in and out rules.

vegeta_tuxpowered.net added a commit: rG562648ad4145: pf: Make nat-to and rdr-to work properly both on in and out rules.Nov 11 2025, 5:39 PM

pf: Make nat-to and rdr-to work properly both on in and out rules
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 164676

sbin/pfctl/parse.y

sbin/pfctl/tests/files/pf1076.fail

sbin/pfctl/tests/files/pf1076.in

sbin/pfctl/tests/files/pf1077.fail

sbin/pfctl/tests/files/pf1077.in

sbin/pfctl/tests/pfctl_test_list.inc

sys/netpfil/pf/pf_lb.c

tests/sys/netpfil/pf/nat.sh

pf: Make nat-to and rdr-to work properly both on in and out rulesClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 164676

sbin/pfctl/parse.y

sbin/pfctl/tests/files/pf1076.fail

sbin/pfctl/tests/files/pf1076.in

sbin/pfctl/tests/files/pf1077.fail

sbin/pfctl/tests/files/pf1077.in

sbin/pfctl/tests/pfctl_test_list.inc

sys/netpfil/pf/pf_lb.c

tests/sys/netpfil/pf/nat.sh

pf: Make nat-to and rdr-to work properly both on in and out rules
ClosedPublic
Actions

Revision Contents
Changeset List