From nobody Wed May 31 10:11:45 2023
X-Original-To: pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QWQ693ZN5z4YRvD
	for <pf@mlmmj.nyi.freebsd.org>; Wed, 31 May 2023 10:11:45 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QWQ692XkYz3pLC
	for <pf@FreeBSD.org>; Wed, 31 May 2023 10:11:45 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1685527905;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=5MTQceqizhzC67/rPRT3AzdSL3RqJKt0fkO5cG28zAk=;
	b=jGTczBA/oGAf83Q8fbszQ/1/bmwWM64XsFGu8yzxchBX1KTQYqe1LM66Npp0/l3ICIcDee
	E+UfBIIR+vEZijyIcOdr7NDexKm9WTPRMWnJVNVycaKQeWB2TlOVg2JfPZ4gbKUJBk2pY4
	2J1c3Tch7EgK8KD/5t5t8o8OJlv8Y3hxUSa7JWfkWb3geg8xaO/8ppTcrZLtNN4l7+dXIt
	I7j2wF4VJwEX1R1Dfrl5pOstupYvqFIamChvb22OqecbNxboZz2x8E4cRWxvDSG5xfs8T1
	dEefFHG/BJKA/CNafNvsZgD8p91RWs/xYnppTEJtchP692HNu1HnbTVdgbrsvw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685527905; a=rsa-sha256; cv=none;
	b=OD8XUnqjKAGtKteU530Mp0xrPKWlwvSChnk4XQa66/JrvYPjyNqLIvWAgKpQUn5t3t9995
	tWGY+QnpzO3h00A6d048iPUDdrHF0/hKcT5zjVrrsiw1fgUSjSUXW1RD2ybk2lUQUTq+Pn
	uDIOQ1yQRq4WvCDxsQLyu0+0QpL+eV2M+5eArFOumrQZYFwc9lXSfHqXw1oocvJUhpS/ho
	3Aao4bRfDvarjBc/xDAVFjlF1xb8wad/xFtNom8dZZnTUTUnt9vPESgkqfcgBx3pPA7qAb
	Zte2KLXPGEtzL8NuRMQrG6bW5eO3LgkdLnb7YT8oxOIu+AN++73WoWfOcqmVNg==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QWQ691cwzzWhZ
	for <pf@FreeBSD.org>; Wed, 31 May 2023 10:11:45 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 34VABjj4057028
	for <pf@FreeBSD.org>; Wed, 31 May 2023 10:11:45 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from bugzilla@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 34VABjsr057027
	for pf@FreeBSD.org; Wed, 31 May 2023 10:11:45 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: pf@FreeBSD.org
Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic
 originating at localhost
Date: Wed, 31 May 2023 10:11:45 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 13.1-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: commit-hook@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: pf@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-268717-16861-JqYdKAUUwj@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-268717-16861@https.bugs.freebsd.org/bugzilla/>
References: <bug-268717-16861@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717

--- Comment #32 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=3D5ab151574c8a1824c6cd8eded28506cb9=
83284bc

commit 5ab151574c8a1824c6cd8eded28506cb983284bc
Author:     Doug Rabson <dfr@FreeBSD.org>
AuthorDate: 2023-05-24 13:11:37 +0000
Commit:     Doug Rabson <dfr@FreeBSD.org>
CommitDate: 2023-05-31 10:11:05 +0000

    netinet*: Fix redirects for connections from localhost

    Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
    rules to change the destination address and port for a connection.
    Typically, the rule triggers on an input event when a packet is received
    by a router and the destination address and/or port is changed to
    implement the redirect. When a reply packet on this connection is output
    to the network, the rule triggers again, reversing the modification.

    When the connection is initiated on the same host as the packet filter,
    it is initially output via lo0 which queues it for input processing.
    This causes an input event on the lo0 interface, allowing redirect
    processing to rewrite the destination and create state for the
    connection. However, when the reply is received, no corresponding output
    event is generated; instead, the packet is delivered to the higher level
    protocol (e.g. tcp or udp) without reversing the redirect, the reply is
    not matched to the connection and the packet is dropped (for tcp, a
    connection reset is also sent).

    This commit fixes the problem by adding a second packet filter call in
    the input path. The second call happens right before the handoff to
    higher level processing and provides the missing output event to allow
    the redirect's reply processing to perform its rewrite. This extra
    processing is disabled by default and can be enabled using pfilctl:

            pfilctl link -o pf:default-out inet-local
            pfilctl link -o pf:default-out6 inet6-local

    PR:             268717
    Reviewed-by:    kp, melifaro
    MFC-after:      2 weeks
    Differential Revision: https://reviews.freebsd.org/D40256

 sys/netinet/ip_input.c                  | 22 ++++++++-
 sys/netinet/ip_var.h                    |  4 ++
 sys/netinet6/ip6_input.c                | 19 ++++++++
 sys/netinet6/ip6_var.h                  |  4 ++
 tests/sys/netpfil/common/Makefile       |  1 +
 tests/sys/netpfil/{pf =3D> common}/rdr.sh | 84 +++++++++++++++++++++++++++=
++----
 tests/sys/netpfil/common/utils.subr     |  4 ++
 tests/sys/netpfil/pf/Makefile           |  1 -
 8 files changed, 127 insertions(+), 12 deletions(-)

--=20
You are receiving this mail because:
You are the assignee for the bug.=