From owner-freebsd-pf@FreeBSD.ORG  Thu May  8 16:41:30 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 953D51065674
	for <freebsd-pf@freebsd.org>; Thu,  8 May 2008 16:41:30 +0000 (UTC)
	(envelope-from ermal.luci@gmail.com)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.234])
	by mx1.freebsd.org (Postfix) with ESMTP id 63A308FC14
	for <freebsd-pf@freebsd.org>; Thu,  8 May 2008 16:41:30 +0000 (UTC)
	(envelope-from ermal.luci@gmail.com)
Received: by rv-out-0506.google.com with SMTP id b25so1405411rvf.43
	for <freebsd-pf@freebsd.org>; Thu, 08 May 2008 09:41:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	bh=e8K0MLFwaZ3g/mCu82Z+UWcBt/e6dRpDm5EGxtbSDjA=;
	b=vqQmZt7kJF4DGQ73PgeDTqFfqFrQhhrbs9xDmkxbLaKs9I31PXEikHSN39V95cMk4EFai4aDt2LO+k8/isa7vblJq3SSy9YN+FEY0HhbxqhdfT1rP5BzM6vd9sEFX5ozVJitUZXNLmvYKWp47hvLkuXudf2sK07+YqqCzXUCqmM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=JaeN2UwHrxeJDzsDH321qkkH8uTYbExZLCiPUZhY+/wPkxp2OegtKrek1igKF68RHe0EapAnlzuKykrxUxkW0B5ZsTrpTzjAsX7lUcWRtV5JetLjiQJXIMDeFNm48ga6ko/CYIAaaUgmys8+G++Y/MKUNvOCirl7EtD8nhPnDho=
Received: by 10.141.132.1 with SMTP id j1mr1620712rvn.64.1210264889637;
	Thu, 08 May 2008 09:41:29 -0700 (PDT)
Received: by 10.140.135.3 with HTTP; Thu, 8 May 2008 09:41:29 -0700 (PDT)
Message-ID: <9a542da30805080941odbc9f74g1a2367285c5a718a@mail.gmail.com>
Date: Thu, 8 May 2008 18:41:29 +0200
From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" <ermal.luci@gmail.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <20080508115823.GB7168@hobbes.ustdmz.roe.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <48222786.3050400@samoylyk.sumy.ua>
	<20080508085234.2cac29ca@twoflower.in.publishing.hu>
	<4822B459.6090307@samoylyk.sumy.ua>
	<20080508101252.4d25b9eb@twoflower.in.publishing.hu>
	<4822BB8A.8030507@samoylyk.sumy.ua>
	<20080508104308.702e8911@twoflower.in.publishing.hu>
	<20080508115823.GB7168@hobbes.ustdmz.roe.ch>
Subject: Re: iptables rule in pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2008 16:41:30 -0000

On Thu, May 8, 2008 at 1:58 PM, Daniel Roethlisberger <daniel@roe.ch> wrote:
> CZUCZY Gergely <gergely.czuczy@harmless.hu> 2008-05-08:
>> On Thu, 08 May 2008 11:36:26 +0300 Oleksandr Samoylyk
>> <oleksandr@samoylyk.sumy.ua> wrote:
>> > >> That iptables rule worked for any destination.
>> > > You cannot rewrite a packet's destination address to _any_
>> > > destination.
>> > >
>> > > It's like you cannot submit a package at the post office with the
>> > > destination address "any". It's just meaningless.
>> >
>> > However it works with iptables. :)
>> >
>> > What can I do in my situation in order to gain the same
>> > functionality by means of pf or other additional daemons?
>> No, it doesn't. That iptables rule only affects the port number, where
>> it defaults to the original dst address. So it defaults to something,
>> where as pf doesn't. With pf you have to explicitly specify the
>> rewritten dst IP.
>>
>> In my first reply I've told you to read the openbsd FAQ. You haven't
>> done it. I _strongly_ suggest you, before doing your next reply to the
>> list. go and read that FAQ. Here's the URL once more, I bet you've
>> lost it under your desk...  http://www.openbsd.org/faq/pf/
>
> Netfilter allows to rewrite the destination port without rewriting the
> destination address.  It would seem like that this is not possible with
> pf, at least not using rdr.  But it is not necessary, since
> my.smtp.server is the only destination on port 25 that will not be
> dropped by the previous rule, so you can just specify my.smtp.server as
> destination in the rdr rule.
>
> Just in case this is about submitting mail around port 25 filters (in
> contrast to a fixed MTA-MTA "tunnel" on port 2525), you probably want to
> use SMTP AUTH on the submission port (587) to solve this problem, not
> just provide plain SMTP on a different port.  On the submission port,
> authentication is mandatory, which prevents it being used by spambots to
> deliver mail directly to your MTA.  Using submission and blocking port
> 25 for end-user address ranges does have anti-spam benefits.
>
> --
> Daniel Roethlisberger
> http://daniel.roe.ch/
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>

How about this patch.
I have not really tested it but should do just port rewriting with a rule as

rdr on $int proto tcp from any to any port 255 -> port 25 any

Ermal

Index: contrib/pf/pfctl/parse.y
===================================================================
RCS file: /home/ncvs/src/contrib/pf/pfctl/parse.y,v
retrieving revision 1.8
diff -u -r1.8 parse.y
--- contrib/pf/pfctl/parse.y	3 Jul 2007 12:30:02 -0000	1.8
+++ contrib/pf/pfctl/parse.y	8 May 2008 16:33:30 -0000
@@ -3326,6 +3326,12 @@
 			$$->host = $2;
 			$$->rport.a = $$->rport.b = $$->rport.t = 0;
 		}
+		| ARROW PORT rport {
+			$$ = calloc(1, sizeof(struct redirection));
+                        if ($$ == NULL)
+                                err(1, "redirection: calloc");
+                        $$->rport = $4;
+		}
 		| ARROW redirspec PORT rport	{
 			$$ = calloc(1, sizeof(struct redirection));
 			if ($$ == NULL)
@@ -3442,6 +3448,13 @@
 			pool_opts.marker |= POM_STICKYADDRESS;
 			pool_opts.opts |= PF_POOL_STICKYADDR;
 		}
+		| ANY {
+			if (pool_opts.type) {
+                                yyerror("pool type cannot be redefined");
+                                YYERROR;
+                        }
+                        pool_opts.type = PF_POOL_ANY;
+		}
 		;

 redirection	: /* empty */			{ $$ = NULL; }
@@ -3549,6 +3562,10 @@
 					YYERROR;
 				}
 			} else {
+				r.rpool.opts = $10.type;
+				if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
+                                    PF_POOL_ANY) {
+
 				if ($9 == NULL || $9->host == NULL) {
 					yyerror("translation rule requires '-> "
 					    "address'");
@@ -3562,6 +3579,14 @@
 					YYERROR;
 				if (check_netmask($9->host, r.af))
 					YYERROR;
+				}
+
+				if ((r.rpool.opts & PF_POOL_TYPEMASK) ==
+                                    PF_POOL_ANY && r.action != PF_RDR) {
+					yyerror("any pool type valid only for rdr"
+                                            " action");
+                                        YYERROR;
+                                }

 				r.rpool.proxy_port[0] = ntohs($9->rport.a);

@@ -3596,7 +3621,6 @@
 					break;
 				}

-				r.rpool.opts = $10.type;
 				if ((r.rpool.opts & PF_POOL_TYPEMASK) ==
 				    PF_POOL_NONE && ($9->host->next != NULL ||
 				    $9->host->addr.type == PF_ADDR_TABLE ||
@@ -3614,7 +3638,7 @@
 				    "is only supported in round-robin "
 				    "redirection pools"))
 					YYERROR;
-				if ($9->host->next != NULL) {
+				if ($9 != NULL && $9->host != NULL && $9->host->next != NULL) {
 					if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
 					    PF_POOL_ROUNDROBIN) {
 						yyerror("only round-robin "
Index: sys/contrib/pf/net/pf.c
===================================================================
RCS file: /home/ncvs/src/sys/contrib/pf/net/pf.c,v
retrieving revision 1.46.2.1
diff -u -r1.46.2.1 pf.c
--- sys/contrib/pf/net/pf.c	25 Nov 2007 19:26:46 -0000	1.46.2.1
+++ sys/contrib/pf/net/pf.c	8 May 2008 16:33:31 -0000
@@ -2859,13 +2859,18 @@
 			}
 			break;
 		case PF_RDR: {
-			if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
-				return (NULL);
-			if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
-			    PF_POOL_BITMASK)
-				PF_POOLMASK(naddr, naddr,
-				    &r->rpool.cur->addr.v.a.mask, daddr,
-				    pd->af);
+			 if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
+                            PF_POOL_ANY) {
+				PF_ACPY(naddr, daddr, pd->af);
+			} else {
+				if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
+                                        return (NULL);
+				if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
+			    		PF_POOL_BITMASK)
+					PF_POOLMASK(naddr, naddr,
+				    		&r->rpool.cur->addr.v.a.mask, daddr,
+				    		pd->af);
+			}

 			if (r->rpool.proxy_port[1]) {
 				u_int32_t	tmp_nport;
Index: sys/contrib/pf/net/pfvar.h
===================================================================
RCS file: /home/ncvs/src/sys/contrib/pf/net/pfvar.h,v
retrieving revision 1.16.2.1
diff -u -r1.16.2.1 pfvar.h
--- sys/contrib/pf/net/pfvar.h	12 Apr 2008 18:26:48 -0000	1.16.2.1
+++ sys/contrib/pf/net/pfvar.h	8 May 2008 16:33:31 -0000
@@ -130,7 +130,7 @@
 	  PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
 #define PF_POOL_IDMASK		0x0f
 enum	{ PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
-	  PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
+	  PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN, PF_POOL_ANY };
 enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 	  PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED };
 #define PF_POOL_TYPEMASK	0x0f