From nobody Tue Jan 24 08:50:31 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P1LK44qg1z30wMZ for ; Tue, 24 Jan 2023 08:50:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P1LK418LLz3PnF for ; Tue, 24 Jan 2023 08:50:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674550232; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qwbubJtmykSm4pTEpBAGZTrYQazqmOah0lJ/VMmEMzs=; b=HFyuzZIXywgliSZzR/oP1e9tj5kfJrWQ722tq7mCqE2jsSkOUR81UGflwrvMYbHwakJz3s K+cjJ5AyyAakFCF07CA7zttxtLbCkutX59H9WmHhkkjdwavOKLhHVQr/tLjMuw9H4xNfDD Ts1/D00tWppHern+TREF52HjrbPairFNdhZHTM1P0ozXZS4KgGBsvshHuYhnsp+/dO8XGX yxgkO6mCNALGcl912ZJfemB42Xr3q/pM93vBkLHYKdUYlwgABu0NruEFVUBgGnDQEuM4AG Zhxu042j91t/ERmwN8Xlm2NgH16VU+roVT5UyAQ0oFjMOCFoaqpWh06xqYXgnw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674550232; a=rsa-sha256; cv=none; b=eJdzSLmO80npftuVqLoulZWjn2CyYXMGOBFUVonzfGn1DRyWKy8JRgVA5ggFpL8VcZwWJn 2A7STpH6nQEmqGzHNrmFTVCvpFJPd5LNvO6pa5PzIS6x9fnwoQ/JIhiCnv2lZqCdffqGcJ zC58itHzPkbEgHF7tFdVS1huYs4lEda27Vp2tqXLZ/hSEsGht50tlGshnnHeC1FyoNjBzd s8j5QpVnG+NmClD6eUJYH7ullv6yw0Qq6+cxl1MvgreXVxPIaunyKjqO9j744I1m8dsTTn fQy2lY4wE3nAnPI6GuqLm3RsMCqQTdqRsjhdBh6DaYo7B+aTrIr4EwkxdvJFJQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P1LK40FXFz134y for ; Tue, 24 Jan 2023 08:50:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30O8oVJT025004 for ; Tue, 24 Jan 2023 08:50:31 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30O8oV4S025003 for pf@FreeBSD.org; Tue, 24 Jan 2023 08:50:31 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Tue, 24 Jan 2023 08:50:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #13 from Kristof Provost --- Oh. Wait. The setup in comment #1 tries to use 'rdr' to redirect an outbound packet. = But the pf.conf man page says: "Then either the rdr rules are evaluated on an inbound packet or the nat rules on an outbound packet." So I don't think that's expected to work. You should be able (and indeed, i= n my test script I can) make this work using 'nat' rather than 'rdr'. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jan 24 13:22:57 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P1SMQ07XWz3bSYC for ; Tue, 24 Jan 2023 13:22:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P1SMP6Dk9z4Djr for ; Tue, 24 Jan 2023 13:22:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674566577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jm+fACSajHB+5cSHFGGMp9c+MLAPjMjJHUONN9ufU5M=; b=Qrch9T7sthnBABhSIA27bCXe7d/YPF+p+jkcVajxiRyNp9ouiXc46dE4MvcGk/NR06G1E2 52g+bRuYke3MPN/I7T17Q0pmLeMuFaRjqQ0oKSPSJNTdYM2GceTFiJAXOqBimWDgwgzhEN /liVmZgFoor+KSB0pr8xvB92dzTmp0fm72ZI59MTkUkSq27sEMmPnwIby4RPlZO4ahMTF8 D2uHygAeIpj1qHyPnHNGPtzuKdeRUShtDHie/aq1ERH6FBZ6XJs2dZxoNErxHskjDM/HCu f1w4rcIp/AYWTVzqHJwooPDk8zV1dgarYpDw8vHyW3O4FSjA/w055BA5m9a1wg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674566577; a=rsa-sha256; cv=none; b=IBKtaEiwLLPbdeizV8X1N2qenkLcqrf51DXnaxdqeWcVl1K5PJYTUIIW0c9NBuNX/tZMvz TafeXt7I1eJJVxBsO9+TMI+6BZMhv8qz4AlFJMXQxDAWmpxPMQ7uqM4CWascvvslUPuMZd ZFejDD71e+ss13nAYB77Z+9D+2WC+K5JnjIxVW5e4K+YVOK9yk6WmQoAMx+cNtJqOYrHo3 eq9nzErcuiCjdipFfmt+SqzhZ+60RLjcJ8wstZIfpy9oiB6Wt0+m6raT0KZWnBrtBg/FAk kKsd4KhIFd1aZ0jWCqrClzABnLmm4SfdkvJDA/ETTwF2p+sMrsLM/dXsKAc9bA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P1SMP5Bwdz19VB for ; Tue, 24 Jan 2023 13:22:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30ODMv1U016753 for ; Tue, 24 Jan 2023 13:22:57 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30ODMvUI016752 for pf@FreeBSD.org; Tue, 24 Jan 2023 13:22:57 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Tue, 24 Jan 2023 13:22:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #14 from dfr@rabson.org --- For my use-case, I need to be able to change both destination address and p= ort and currently the nat rule only allows changing the address. Also, I'm not = sure that nat will work here since it re-writes the source address and I need to change the destination address. As I understand the current situation with rdr, for new local connections, a PF_IN event is triggered when the packet leaves the local network stack and this matches the rdr rule, re-writing destination address and port and sett= ing a state to match the reply. Unfortunately for reply packets no corresponding PF_OUT event is triggered when the packet is delivered to the local network stack so the reverse re-write does not happen. This is why my suggested cha= nge works since it simulates the PF_OUT event for packets which will be process= ed locally. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Jan 25 08:14:07 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P1xSb6tW8z30th7 for ; Wed, 25 Jan 2023 08:14:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P1xSb4VyHz3Pww for ; Wed, 25 Jan 2023 08:14:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674634447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EKDvsBjbuEQ7ZBFgcVwMsYF+zsgXbXHfF/MS0dy1iCM=; b=CW7EM9DHEqwpnyJvoiGnuip8Z/UmnCMvgtrEI60+cBxPkMOTI8qy6BshARPij5VvDFULQH zHj9gpVVyjn+eMmp57ld5uq9YhVHyBIaQOl8OLXdjMmGaQPXGygWjmP/9wvC4pTj7kTXRh 7MfuxGyYxigSf6Z9F8qUtzHHvsiwE/3s6hE3hcJEcSM9AswgeDCL3gZvJ2jkEd9ruCmc6+ zaSeeEnBdSD06ukHHAEMbuWZwxoiToIQPWzSb4/c6IZ9h7EXPFoOIjhV3t2V/n/gu0J/7y 3gRCKvaLdd+uAGZhtgztRvgm1EfWkz2AvPLBwE1GNocV5vKmPHFdD+9GYQ52zw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674634447; a=rsa-sha256; cv=none; b=wjZwB4kPpmn+30HasQMS0VyoZ45N14ojJRDfKRQIGfc3aR1Zm8PSKbgmogB476CCXznQ8o dqrpXq0ZWMkxNKzdNv9wzLSpuN5Swfn4KcjCwKL9Q5wPgVO4BKCXaf21qd/X9j6l+H4XGR ZNSHaMtaAeR1JTRJBdgg0R67zuzfwe5Rw3pjyTTbVthx+gAwY87bpLdDZySU7iuTmrMMGC cnjnisq/eq2OaEtxiqfG/W32p2O38uE8v3H2m6IkJ58ITXFzLXhBiqtErmsfssGQsX9B/k mFzrdV2p05D0EIt6W+N/mQ+6F5lTme199e5sUspXtGXmxnsgKw0relDSuaxVhA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P1xSb3ZpTzj7k for ; Wed, 25 Jan 2023 08:14:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30P8E7Bc015024 for ; Wed, 25 Jan 2023 08:14:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30P8E7xS015023 for pf@FreeBSD.org; Wed, 25 Jan 2023 08:14:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Wed, 25 Jan 2023 08:14:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #15 from Kristof Provost --- (In reply to dfr from comment #14) Right, but rdr very much expects to be used on inbound traffic only. I believe the relevant code to be in pf_get_translation(), where we only lo= ok at the RDR ruleset if direction !=3D PF_OUT (i.e. it's PF_IN). So I think we have three choices: 1) extend nat (or binat) to be able to change the port and destination addr= ess (rather than source address). 2) teach rdr to work on PF_OUT 3) Build on the work in https://reviews.freebsd.org/D38025 and use OpenBSD's rdr-to, where the man page at least seems to suggest it can also work out outbound traffic. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Jan 25 11:07:37 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P21Jp0VPJz3b9xp for ; Wed, 25 Jan 2023 11:07:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P21Jn4TWfz3ty1 for ; Wed, 25 Jan 2023 11:07:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674644857; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k9tcxjamTj1nIMAuVEuNwxowHV8MZ9yLBy6X1fzgMsQ=; b=djZtniiqIo4ZqtM/UjQakBJEVJS/rv7J1iR6buTdB6cHwJGcfQ6DOeWMt8h4xQkEOtUpeX w6Ux9dR5si+hZtoLY8LR0y9BmuCBijvzdmpG9iBl4nydPZD7LN0UEncR+H6YcJd9tlkY88 4N/bb0kcbZWWWT3fch3yyne1ncARIHhXkslmYcTAdx/noCK+dBsPxH7EcbxL2/7fuOz/AF 0vv+H91/7jRBgalryB887ng6Fvo1R0Eyx0XjIJX56TXzTl3uojdQcPr63+pvq3uj37IwuX E1bwecQcQDXBtiGKcm7yQ+eY5N8NCYz4LMHrAiOF1WnDWWvR1m+8yycW0wj6cg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674644857; a=rsa-sha256; cv=none; b=GwXb/qnJAtWWcfP6gBTEJoPG8hfBNVd4C9kiM1QTlYfdQ+PNOUwJhgRYyrft64sjRhWhlS qWKv/P73R8QweByjV6fOyAa7QTv3tUY6YvhF+NIZnGU9A8V5HZbx0XrAiJmmN+3jZXVlrj KBrzngHe1dBT5QwpC4dBMwpfFymJSUFjKAh73fKQjLY3x2ktFrtIo+x5eCLcqCtUr3WEBr Oit8MZ3w0veMH74/30k694sxhAfGjcBDednk1jk30/ayozR761xp4GLTQNjy3uvidSk7Tm 5Gnc713s8qeUeSIvzsGpOqtfs3LdlAF7avzzpDm/iFd0C3fScHz5Uem/nrQ6vQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P21Jn3T2hzmtb for ; Wed, 25 Jan 2023 11:07:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30PB7bft057691 for ; Wed, 25 Jan 2023 11:07:37 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30PB7bGx057690 for pf@FreeBSD.org; Wed, 25 Jan 2023 11:07:37 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Wed, 25 Jan 2023 11:07:37 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #16 from dfr@rabson.org --- As far as I understand the code (which is not very well TBH), both nat and = rdr rules rely on both PF_IN and PF_OUT events but differ on which event trigge= rs state creation: PF_IN for rdr and PF_OUT for nat with the opposite event matching the other direction to reverse the re-write. For connections initiated locally, this symmetry is broken since we generate PF_IN events for the SYN causing the re-write and creating the state but si= nce there is no corresponding PF_OUT for the SYN+ACK reply, the connection fail= s. This is why I think we need PF_OUT for packets which will be delivered to t= he local stack rather than routed onward. I thought about whether it makes sense for rdr state creation to happen on PF_OUT but wouldn't that have other problems since the un-redirected destination address may direct the packet to the wrong outgoing interface? I haven't looked closely at upstream OpenBSD pf but it seems they have chan= ged the rule language considerably which would likely be a problem for FreeBSD unless there is a compability mode. I seem to remember that they support ta= bles for rdr target addresses which may be useful for managing a pool of load-balanced replicas. Anyway, for now I have a workable solution for my two (related) use-cases: 'publishing' container ports to the host for podman and mapping service VIP= s to containers for kubernetes. I'm looking forward to seeing the right solution= for this merged into main (and maybe stable/13). --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 27 08:59:35 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P3BN81wCwz3b3hY for ; Fri, 27 Jan 2023 08:59:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P3BN801k5z3sbB for ; Fri, 27 Jan 2023 08:59:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674809976; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tA7hodmLtNvfnrhr5cT5dZAeZayXuSTS2/Gt891UEWI=; b=FiRFjzmMFEeFW5ZUwFkDKip7KJvrPe5D8vMipLKCC0kUKh33oxim/FLkYRv7O3CxMwWneh x3+y3v3upqYQyzocsrV73+qD0hHXo9cq710O/NR5PtSoq0B94ItB6hcEs0EvSWJqCT+tNH eZ0XcMPJJus2OCzVA5TcQN8ZZLuacxGGB9a3+UC2j5Df0+4VApcWdgg8gMfJwJT8oXESyn LqlBwfxPc6yV3w7bsHUAAF7sIVeFOjHdF1uGrSQqPHO0Uqguugdd6Dx9a1Axl3pLwWvhiA 2XISTW0Y7WkKlH81NsG0DvJ3ehrIV4j7KJ1bN3QIzRfnAhQAePJjPksTqhCnpQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674809976; a=rsa-sha256; cv=none; b=TIitTWrkNVMMWawavBmiSwcGOA5+Qg/iVQ6tFO0SqSnaysV0GuiMWXrGT0ZqQVdFoy5qC2 NgxaOLA8PcIksCOMTYiGE+WQI3gMt9O+Hj6eO9HDjvaKNPO/IwOWZtqsuERSWai+7sPHij 1xNDKh9qPZlO1L3+6rpdBULEkSajWaeVRJmv5zehoxUgi4vbBj12SR58M0BTcY+hR0abd7 SyweZ6l9OShORl3C3Lf1CPFnsRGUJTQj+1oMjFdOm84ZDDIqpw3C4Ac3xe6Jmb6kGE/24N utMnpXy40tm2KOw4KXJniRkttcjZM18Yb2/RMD8XmFSV/5OO7qpiCqJ3fU808A== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P3BN763FJz13Kd for ; Fri, 27 Jan 2023 08:59:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30R8xZxu090654 for ; Fri, 27 Jan 2023 08:59:35 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30R8xZkB090653 for pf@FreeBSD.org; Fri, 27 Jan 2023 08:59:35 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Fri, 27 Jan 2023 08:59:35 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #17 from Kristof Provost --- (In reply to dfr from comment #16) > As far as I understand the code (which is not very well TBH), both nat an= d rdr rules rely on both PF_IN and PF_OUT events but differ on which event = triggers state creation: PF_IN for rdr and PF_OUT for nat with the opposite= event matching the other direction to reverse the re-write. Sort of. I find it more useful to think about when the packets pass through which parts of the stack. That does imply a direction (i.e. PF_IN/PF_OUT). In the normal case, when we're thinking of rdr, we'd be dealing with incomi= ng packets, arriving through ip_input(), triggering a PF_IN pf_test(). For the failing case described here we're dealing with packets that are generated locally, and the first time they hit the firewall is from ip_outp= ut() (i.e. pf_test(PF_OUT)). > For connections initiated locally, this symmetry is broken since we gener= ate PF_IN events for the SYN causing the re-write and creating the state bu= t since there is no corresponding PF_OUT for the SYN+ACK reply, the connect= ion fails. This is why I think we need PF_OUT for packets which will be del= ivered to the local stack rather than routed onward. For locally generated connections we're only getting the PF_IN after we've already had a PF_OUT. We can't usefully do anything on SYN+ACK packets, and= if we're trying to add an artificial PF_OUT we're just papering over a problem that started earlier. > I thought about whether it makes sense for rdr state creation to happen o= n PF_OUT but wouldn't that have other problems since the un-redirected dest= ination address may direct the packet to the wrong outgoing interface? I'm not sure I follow. > I haven't looked closely at upstream OpenBSD pf but it seems they have ch= anged the rule language considerably which would likely be a problem for Fr= eeBSD unless there is a compability mode. I seem to remember that they supp= ort tables for rdr target addresses which may be useful for managing a pool= of load-balanced replicas. Kajetan intends to keep the old syntax supported, at least for a while. I s= till need to look at his work in detail, which I don't expect to be able to do before the end of February. > I'm looking forward to seeing the right solution for this merged into mai= n (and maybe stable/13). To be clear, I'm not making any promises about the time and effort I can sp= end on this. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 27 13:16:24 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P3J4S3w3jz3bw0p for ; Fri, 27 Jan 2023 13:16:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P3J4S1rz2z4KW6 for ; Fri, 27 Jan 2023 13:16:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674825384; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HWH+zqBmNHeETjNMi5kzoTMspaJG44bSY3IoeC2dzFI=; b=KSMn1JZDiEoohboGAnmeTuCXACL5+Yt4pjLJi8JXg8t19IEf+q1EjdW6UMrzKyBiCiChb6 OMGjNOnnK4UHloeUyduDcq0tofAdqfWvh+exq9eFadmEv0Hz5zH0/CKsFpqYYVHrU5Kdu6 n4GQiiK9a4Krup1+6fKHIGrwUbTFwkhwm0rCFT3wO6uVb1rcp3Anxlr2IrY/xOQ/TX34Xm k3yJyjM1XOy4U5lYcpPpNTCCtndPg2NJNBjEWRWuAAyeV4LrcNaPBX+J7WPPzQM0xVC1B4 0tdllxw68Zeenm6jeiss7fkD9Z9s+K8SVvz+9CQuS/KMSw0to0A38LpC/lnd3w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674825384; a=rsa-sha256; cv=none; b=RDLlpkAPufH46PpUNhrzoWxYrRrrSVspZQnjuBQZFA56dxNlMOVpMd/HrXtuSkTezqFalG rW/YYLTnklfnuD6laowK/bZLy4sB/7LnEj8mYwRujGkxVbuzxqd2xlQi5XDaLngiMLk/oo +4Pj0rGHhQdfwyuTw9JpdFqHAiBGlN+oPWK40Te2GebAUJG/qWAX5T/CPO9BZvIo38Px3a YHmvGdl/GqTtQz067SViH/pVUTYg17zbRTFJVyqcE3oAVFTQP4MvJMLpQ+sDgplri24Dje jgab9Y37os3FNF0W/bpccDCsZErogGcIBKIAsEOhK+NWQAzNqzqPmsZFxGRZow== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P3J4S0nk0z19RB for ; Fri, 27 Jan 2023 13:16:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30RDGOmQ058039 for ; Fri, 27 Jan 2023 13:16:24 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30RDGOT9058038 for pf@FreeBSD.org; Fri, 27 Jan 2023 13:16:24 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Fri, 27 Jan 2023 13:16:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #18 from dfr@rabson.org --- (In reply to Kristof Provost from comment #17) > Sort of. I find it more useful to think about when the packets pass throu= gh which parts of the stack. That does imply a direction (i.e. PF_IN/PF_OUT= ). In the normal case, when we're thinking of rdr, we'd be dealing with incomi= ng packets, arriving through ip_input(), triggering a PF_IN pf_test(). For the failing case described here we're dealing with packets that are generated locally, and the first time they hit the firewall is from ip_outp= ut() (i.e. pf_test(PF_OUT)). I like this description of the situation. In this case though, locally generated packets are seen by the firewall via ip_input, causing PF_IN event and creating the state: (kgdb) bt #0 pf_create_state (r=3D0xfffffe00041c6df8, nr=3D0xfffff80027b0d800, a=3D0= x0, nsn=3D0x0, nk=3D0xfffff80027b03a50, sk=3D0xfffff80027b03aa8, m=3D0xfffff800= 276b0200, off=3D20, sport=3D13975, dport=3D20480, rewrite=3D0xfffffe000378cae8, sm=3D0xfffffe000378cce8, t= ag=3D-1, bproto_sum=3D19927, bip_sum=3D0, hdrlen=3D20, pd=3D, kif=3D<= optimized out>) at ../../../netpfil/pf/pf.c:4533 #1 pf_test_rule (rm=3Drm@entry=3D0xfffffe000378ccd8, sm=3Dsm@entry=3D0xfffffe000378cce8, direction=3Ddirection@entry=3D1, kif=3Dkif@entry=3D0xfffff800039b3200, m=3Dm@entry=3D0xfffff800276b0200, off=3Doff@entry=3D20, pd=3D0xfffffe00= 0378cc00, am=3D0xfffffe000378ccb8, rsm=3D0xfffffe000378cca8, inp=3D0x0) at ../../../netpfil/pf/pf.c:4483 #2 0xffffffff80e6fc82 in pf_test (dir=3Ddir@entry=3D1, pflags=3D65536, ifp=3D0xfffff800038f2800, m0=3Dm0@entry=3D0xfffffe000378cdb0, inp=3D0x0) at ../../../netpfil/pf/pf.c:7217 #3 0xffffffff80e90f15 in pf_check_in (m=3D0xfffffe000378cdb0, ifp=3D0x0, flags=3D41175, ruleset=3D, inp=3D0x5000) at ../../../netpfil/pf/pf_ioctl.c:6463 #4 0xffffffff80d506e5 in pfil_mbuf_common (pch=3D, p=3D..., p@entry=3D..., ifp=3D0xfffff800038f2800, ifp@entry=3D0xfffffe000378cd80, fl= ags=3D65536, inp=3Dinp@entry=3D0x0) at ../../../net/pfil.c:214 #5 pfil_mbuf_in (head=3D0xfffff8000389de00, p=3Dp@entry=3D..., ifp=3Difp@entry=3D0xfffff800038f2800, inp=3Dinp@entry=3D0x0) at ../../../ne= t/pfil.c:226 #6 0xffffffff80dcfbb6 in ip_input (m=3D0xfffff800276b0200) at ../../../netinet/ip_input.c:613 #7 0xffffffff80d4d261 in netisr_process_workstream_proto (nwsp=3D0xffffffff825866c0, proto=3D1) at ../../../net/netisr.c:929 #8 swi_net (arg=3D0xffffffff825866c0) at ../../../net/netisr.c:976 In this case, the interface is lo0 and direction is PF_IN. The problem (at least as I understand it) is that the replies don't generate the correspond= ing PF_OUT and the state isn't matched. The return packets cause a PF_IN from t= he incoming interface (e.g. bridge0) which does nothing and then they are delivered to the local tcp stack without reversing the redirect and are immediately rejected with RST. >> I thought about whether it makes sense for rdr state creation to happen = on PF_OUT but wouldn't that have other problems since the un-redirected des= tination address may direct the packet to the wrong outgoing interface? > > I'm not sure I follow. What I'm trying to say is that for connection attempts to some local address which would match the rdr rule, there will not be a PF_OUT event to trigger= for the same reason as what I'm suggesting above for the current PF_IN triggered rule. The packet won't be re-written but instead will be delivered to the l= ocal tcp and rejected. > To be clear, I'm not making any promises about the time and effort I can = spend on this. Also to be clear, I'm not asking for you to do the work necessarily. I am perfectly happy to do it if someone is prepared to review the change. I do = have the time to work on this and the motivation since this problem is a blocker= for my projects. I am going to spend some time to see if ipfirewall is also affected. I have= a feeling that it might be for similar reasons. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 27 15:38:49 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P3MDn45LCz3b1kC for ; Fri, 27 Jan 2023 15:38:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P3MDn1vydz3Plp for ; Fri, 27 Jan 2023 15:38:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674833929; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=34/+e1hcd+dBwU70EO8gC6PHnJtuRybn6mU0Vc38qFU=; b=OAOFAzsHpDlDTcTZPFuJC4MBOdeAuQg3dhUHZpoUW09f/kVeDqx5MaqzyE4EY/AAktKfnL h1KWndbJjDWeuoTUjcNlTGxomTX7/c0gfKmu73AbSC/zpL8aR83z6LzR6jBlForRacUCjk luMoAz88Sl2XqHLVmBLeaOvNvV3yIq2cO4PnQlDc4fBzSrjNKfKF81sYqvOeT5KnzkIIEe 20MEXN4dM5dB7MaXs0ZIkfbdyxj1mR5+95v6yleVw7lKZHQqadL1AkkVonZfnJ27buHgf5 1rY+U+GLBTKrzhAb7R+ouwCgjjAyg5oM3WnbzwXsvtSbaY6ekPhTIU5WKinIxA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674833929; a=rsa-sha256; cv=none; b=Rh281YaWNIEvrdP+z9MIO9+vsHi6hZPuf7xBUj0GvyYVHpzjGKgpC/QfAzXlg45w+rbxpf O3oBKprlYrFAnZIE+kRa6z1jun6YY2PQm1glrZ81aJfjkE/l6LohsR+rZO0lsafHtcVuhK EiMhSCl1Vw+gSbwK8srglljX8kF8egmeJEi12vkk6obMBpD99G0Hzw6AtsCfMf+JyhQTL8 AMkF9vz3Xynk2PjIIRQG0MRfMAzwuwpWcdFdq+V451YwyLlan0ChTo/kYfgyS8gP2lvbkx IKIXG35TMrk786LLqX2XeYiHRHQSKo3CYpeDzP5fkzE0raFS+LoUCzLJ6orHZg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P3MDn0tTfzFHG for ; Fri, 27 Jan 2023 15:38:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30RFcnTa056898 for ; Fri, 27 Jan 2023 15:38:49 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30RFcnZf056897 for pf@FreeBSD.org; Fri, 27 Jan 2023 15:38:49 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] rdr rules don't work for traffic originating at localhost Date: Fri, 27 Jan 2023 15:38:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #19 from dfr@rabson.org --- Testing with ipfirewall's ipnat module shows the exact same pattern where t= he rule matches the initial connection attempt and translates the destination address and port but the reply does not reverse the translation. Adding a call to pfil_mbuf_out() in ip_input() right before the packet is handed off to upper-layer protocols fixes the problem for both pf and ipnat. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 27 15:39:22 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P3MFQ5PsCz3b1qH for ; Fri, 27 Jan 2023 15:39:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P3MFQ4LxHz3PyB for ; Fri, 27 Jan 2023 15:39:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674833962; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PLf84j0x0LuqSUivtHymEN2QBIEE9eddkfpnT313FaY=; b=SL5IxMMmjWRYp1sJAY2QwyZv52/eHmbvEDC+yApBArQHCu3+c6nw9qpy/rYYevdc/MYoqU JgeaQVKMIcs5lXUJLqFV4e6VD0aVlw9Sa9y2IZxLXcdgFqX2UQVtK3HB4Q1ay3HdjDbbQk 9A9DzNGYMpNWykYEEoOiBRq/Ua3xd2iNbe+fCvbJMj1Vx8EGO+yo8itMbrTFr1NhaAGyJY ie32GtRtvv3TK1diW+OtCgGTCPF40IcjtumiWKdLOaA2JgYfe8AHfTpNy7kKRo/W2CDO1q fq4VIFYEtTvmSaP0fkvgqWe+JRVVZGxskvHX4bwju9kr3lh2RYke7gRtHy3cHw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674833962; a=rsa-sha256; cv=none; b=QsZvswwuP5/gI8DmI07o1guqSXQsTh0o2sbaeGcP5LiNzt2UZOxsrac+cWhyQeKuOZtlWh PDqXLoKydQdM7CQkOK+F+wtyJqhIMy0YzyCHX+oef5KzHSAJhv4vqaSBULrQyLAGOY3N6d LY88/2qi5fkzzvPaNtF0ERqeFhT/KpPhcrtHe9FgCYvGMx9jqVBVFULTEHhKwY43KjWYm7 Nkx0MjOpwzCxfyLQ2063WoarqgzkqOokXVuAcB15WYLbMmI5C6ckLjcuC5ZOOoBWdyzRcG d8qQoFcje3fFLSZ0LvOFkvcq/J1e8cuIKJcBEnMm8+8COT7rZqmloWRGqX+D1w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P3MFQ3QW7zFDZ for ; Fri, 27 Jan 2023 15:39:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30RFdM6j057176 for ; Fri, 27 Jan 2023 15:39:22 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30RFdMHW057175 for pf@FreeBSD.org; Fri, 27 Jan 2023 15:39:22 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost Date: Fri, 27 Jan 2023 15:39:22 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 dfr@rabson.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[pf] rdr rules don't work |[pf] [ipnat] rdr rules |for traffic originating at |don't work for traffic |localhost |originating at localhost --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 27 15:47:18 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P3MQb1TMtz3b2V1 for ; Fri, 27 Jan 2023 15:47:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P3MQb0Ldgz3R9g for ; Fri, 27 Jan 2023 15:47:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674834439; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k2UMRlBZOfJ/G2ehzxzf0PJhPPkbCnfx9eyYmFOHeck=; b=ljsVdbxO4rby0LTs1YyjAWkSgOgtcC1gPA8m8RsiIIl9HH9Db7WhQRkHsAVYueW0JaavaT FWAEsbgNATGsBQdIsk4CuwV5IiTtZl383RPelWqcMBqEvAkq/kyR6nsdmZWeK19rHOPY4A 1d8brKvdsiPaXzS7Aa6wkHoC/zvBK+XkBX0HiUaLwVLtGcO9eUh8Zk1eR4HSQWj7TQuGkt J+eOOHO3uari5ChHj8rBHmi0gwQD0fWsJMYqHtk2m/LYNmyUZlFCEmwq0+eDaqpHhUm0jl bJHHtAMKTwGZYYlY3+hAbvdObAQ6tCR5CHoSuBGN+SxA4N8aONqEqvqcOlSoZQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674834439; a=rsa-sha256; cv=none; b=vOkVXXdTT/AtXdsbdfnby5jcwbuTQeoTbRpbE55V0VWwkEI3aKtgBNaSy9Vx+mwMXDmv0A 1IKORIcRMK1Adij9s7rVNb49MorCSsta12EpiHFCKjKIejcJtJ0/fUHlXGLW+dbMjJPJ/q 200BUkxgaXwbfIkJ+bSwYO79d6/vihsWZyVdDx5sqV7QBdgs0nuLzuFPTKd0mOuBxRNU8q RZx1w1FxtcUY9WoW7P7HRO28j8zYW5hCLCWLeyr/ywDHQh3rbO3rCSolA2TvJHiWTP8Uok 6ta1TNap3GPzFG/1fxuu3gLrpyvMo8u6QaiVnhfkYrl5kcS3bkVAV5YM4PLQPA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P3MQZ6QVxzFFH for ; Fri, 27 Jan 2023 15:47:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30RFlI0L071080 for ; Fri, 27 Jan 2023 15:47:18 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30RFlI1s071079 for pf@FreeBSD.org; Fri, 27 Jan 2023 15:47:18 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost Date: Fri, 27 Jan 2023 15:47:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: zarychtam@plan-b.pwste.edu.pl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 Marek Zarychta changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zarychtam@plan-b.pwste.edu. | |pl --- Comment #20 from Marek Zarychta --- (In reply to dfr from comment #190 It looks like a feature, not a bug. Maybe you can rework your PF rules and/= or either use multiple fibs with rtables keyword or pass with route-to keyword. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 27 15:55:50 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P3McQ48DSz3b3yL for ; Fri, 27 Jan 2023 15:55:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P3McQ2ZWjz3j8W for ; Fri, 27 Jan 2023 15:55:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674834950; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Wu1pTtCdkoYj3aeLvG+sjaPQ86hTLXlXV4TqSgHkqko=; b=PFFED4WxTGTmMzKuaz3TOCmHtg8KwiC8+f6Rt4lVSW6Hio/wkurtKfJViqsI3Wxq8BuuNE WVeMs7ZcvX3VyJ5kClyNq2XSeBFWB1BWN9V4rAGz6Mc5y/LSMZAbfmfLRCKHmhRS0YnAv/ eEykaxeQ6AtmJnMTfwhPeiAQPWMHst4DOWmtqRIxyd83z/xE4CGtXj5tBnCp2g6IaXS/up k6gADb5mIbTQTQyBP9C0vO8AacJ20jqtwsAIuVD9rQl2ns03J2RiGRTjk8SyWI6Y2E9qKU cRwgqZj8N96UYe80qusZtvCsjM8VThAZwK/z0uDqxxHnxor/Ib6hHrFB+9jklw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674834950; a=rsa-sha256; cv=none; b=gFW+ffZK3cvz511LtPpKDNEx6FSxAZCMuhytGuccP5kbq+IpQ7tk0RhWLY4BIJ0U+qUFL/ lmfQCu+oP+UH1dCmuKvR9KjDJS5HjTAAZmQQ0DObQ7S5306/6N5v4FVQE/qL1AJxXf6eHc y8mMaNToZNYzsBu1ZFu4eg1rDJK15yj5AwI/cJU/SL5nWb/dFglJ881r2sW4vygT7mqS5L 3PmjJLYlxu+kAEU/K2gX9nAj4IUxSXVyeybz1SILXQsUnClRX9XsPamqKLto8hG9jIzlAo J3/0LA2akKjU5YL3kISJmO8VPkvU7JT7WxzAoCwP2LRiFfmQmNpgrEE5HK0NPw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P3McQ1YlgzFXc for ; Fri, 27 Jan 2023 15:55:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30RFtosW083603 for ; Fri, 27 Jan 2023 15:55:50 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30RFtoJO083602 for pf@FreeBSD.org; Fri, 27 Jan 2023 15:55:50 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost Date: Fri, 27 Jan 2023 15:55:50 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #21 from dfr@rabson.org --- I don't think its a feature - if we are not supporting rdr rules where the initial source address is local, then the rule shouldn't match at all.=20 As it is, for both pf and ipnat, the 'outgoing' rule matches, rewriting the destination address and port and creating state but reply packets never mat= ch that state because the firewall does not see the reply packet 'leaving' the network to be delivered to local tcp/udp/whatever. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 27 16:26:06 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P3NHL5hxrz3b82m for ; Fri, 27 Jan 2023 16:26:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P3NHL49fQz3lRy for ; Fri, 27 Jan 2023 16:26:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674836766; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=12VBQgLL8MLDvjUop9zc6ntd+RNqaoBBkKQbCcE7V3s=; b=nZ25u/QVZUSBofGrGbGBSAMTj9i2WU5Xp7cJm61Ks07bzdZVCKkRIZrH7ucVEXAe01896S +d5mocaEBH07G7YppRMAA+Z/ZaoNDugtsqyfbT9kdBFf/4P91ddAhDn2idHsRL8g34NTOG 1OlIAa2Ib+WQrS7G4DRWsTsfJGDSzkTGM6rIqNF7LdiTpARm6I6MhPZ8AsKU40ZQMxoxjw 8k872jXH6fjN30tszyp9RY/oCy1iYs8/6OForAp5dbz807cKFTj8mnVJxiyN7UmKAsQI/d 9W+zZrFqcAgzqco77Td2R4QBvRTE7t/gFrx/7PLE4lYuHrkCT7igE6RCcqTYMQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674836766; a=rsa-sha256; cv=none; b=qUi5QJhor2Iz7IqJ6jSSzGhPKtCU0IpVbRdVrSAe2J/GvVea+QuXcdJ+ZG/LToRVHEvy4R NxTtdWjdm6flrnyC1JuImAKlYnsTbLRiBqzTr/IKqLfLgPRMXcG67OfX0HcYse/A8okqoE PY/pHHDhcW5Aa2q5JvCW1ho4pD+B3YbdHphBgrDf8YsjttGBW2QC9iYS2RHtegFA8D/P0G /RleMlYqShvJKQZAJIbGcaVfbG5TfAo+azFLUeNtOykv3XfEbx5dxc3cyUN6aDQsgYLn52 06/wqsh+U0S1urACVjtwhb31oac2A7HOsn7NCAYWO2UAIpZB3pZTLTWRtrxdnQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P3NHL3Gt0zGGS for ; Fri, 27 Jan 2023 16:26:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30RGQ6Jj030502 for ; Fri, 27 Jan 2023 16:26:06 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30RGQ6fI030501 for pf@FreeBSD.org; Fri, 27 Jan 2023 16:26:06 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost Date: Fri, 27 Jan 2023 16:26:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: zarychtam@plan-b.pwste.edu.pl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 Marek Zarychta changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zarychtam@plan-b.pwste.edu. | |pl --- Comment #22 from Marek Zarychta --- (In reply to dfr from comment #21) >I don't think its a feature You are right. It's a missing feature, we lack more of them. But should one always submit a PR after finding a missing feature? Probably yes, if it's a patch with the implementation of that feature. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jan 27 16:33:37 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P3NS13XNYz3b8h9 for ; Fri, 27 Jan 2023 16:33:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P3NS12X6Jz3mTt for ; Fri, 27 Jan 2023 16:33:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674837217; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jFM3at560zzWro8NixdjggupH6KuTfESkWA3vg1TJhY=; b=Y5YHe4xCKnRYO6opYhLtA/iCFp4DJEVDWyy3XqqX8+VE3TCUYImBP3pS5VMfbIf5NFGcHv /w1GLgGs1QnucO6emBI4RVHetCe2tPwWKUWSGZ2IZqOJRI6BtfWH0ZZzccoVBUCFtiRJ7I ea0KRy6ixVQT0CSXNQ3H/VTDR8MaT2Ks180WL0+HNVZYrv4S2rUd9840+rD3ZqRjsX3qNK wTlBH1veRNzIEMvxACGjsBgrb70SAz/nS+RPxBJtLQeu/IkhRxOwFuNhl0LdnrsSG9dT1F Z96Zs8jcgXQylYjdrcQfSlzWyYB7vCNBpuqIZQB+/aOTeFB32/VKkDkf6tE0Nw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674837217; a=rsa-sha256; cv=none; b=e7A4LlUcS7bJlZlJCE3QFsQ162rC8BAd3BrvzEFd5qM3ciDKXNN5VuDe3tJdpto9qGE4kP P9YXNvb7Ap1Fa3QRPOrwPo4nRJDcOa9NhFySE70k93qDdP79B07U/FAEWnzlKqrjmAsbfB kbB95l3gQiMS6naTLd8bUU4/b415RZBSFmWBshNf5Vy8PfMaN1L9l7WjZuKDXZbPoANRGe dClRU8v1tKVF3kPzxpKdEAAVK+jEHV4haPFSXXCj8Azy55t6I1Y3uG43azx0mrZ9IXKdXe I+sayQQIdWMvBn1CQQRYGIw7vQm6EP9npqk+l5zRk19+Vlh8q8NXpM2EZyLMAA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P3NS11ZxkzGYh for ; Fri, 27 Jan 2023 16:33:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 30RGXbcQ042520 for ; Fri, 27 Jan 2023 16:33:37 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 30RGXbJF042519 for pf@FreeBSD.org; Fri, 27 Jan 2023 16:33:37 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost Date: Fri, 27 Jan 2023 16:33:37 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dfr@rabson.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #23 from dfr@rabson.org --- The patch attached to this bug only covers pf. Moving the proposed fix to ip_input/ip6_input seems to fix both pf and ipnat (haven't checked ipfw yet= ). I will keep testing and update with a new patch --=20 You are receiving this mail because: You are the assignee for the bug.=