From owner-freebsd-pf@FreeBSD.ORG Tue Aug 2 10:56:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FEA516A41F; Tue, 2 Aug 2005 10:56:30 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from f41.mail.ru (f41.mail.ru [194.67.57.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id A600343D45; Tue, 2 Aug 2005 10:56:29 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from mail by f41.mail.ru with local id 1DzuSI-0000Lt-00; Tue, 02 Aug 2005 14:57:06 +0400 Received: from [194.190.210.150] by win.mail.ru with HTTP; Tue, 02 Aug 2005 14:57:06 +0400 From: Boris Polevoy To: freebsd-pf@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 192.168.1.8 via proxy [194.190.210.150] Date: Tue, 02 Aug 2005 14:57:06 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Cc: mlaier@freebsd.org Subject: PF rdr bitmask BUG X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Polevoy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 10:56:30 -0000 Hello All! I have some problem with rdr rule in pf. Test configuration: +---------+ +---------+ +---------+ |client |192.168.3.10/24 |firewall |10.0.0.1/24 |server | | fxp0+----------------->+fxp0 fxp1+------------------>+fxp0 | | | 192.168.3.2/24| | 10.0.0.2/24| | +---------+ 192.168.3.3/24+---------+ 10.0.0.3/32+---------+ client and firewall boxes under FreeBSD 5.4-RELEASE, server under FreeBSD 4.7-RELEASE. On firewall interface fxp0 have two aliases: 192.168.3.2/24 192.168.3.3/24, on server box fxp0 have aliases 10.0.0.2/24, 10.0.0.3/32 for test redirection. Rules in pf on firewall: rdr on fxp0 inet from any to 192.168.3.0/24 -> 10.0.0.0/24 bitmask pass all Test command on client: ping -c4 192.168.3.2 Ping do not work, packets from firewall go to wrong addresses. I have add log print in pf code in function pf.c/pf_map_addr(): case PF_POOL_BITMASK: #define QUAD_ADDR(_addr) \ ((uint8_t *) &(_addr))[0], ((uint8_t *) &(_addr))[1], \ ((uint8_t *) &(_addr))[2], ((uint8_t *) &(_addr))[3] printf("raddr:<%u.%u.%u.%u> rmask:<%u.%u.%u.%u> saddr:<%u.%u.%u.%u>\n", QUAD_ADDR(raddr->v4), QUAD_ADDR(rmask->v4), QUAD_ADDR(saddr->v4)); PF_POOLMASK(naddr, raddr, rmask, saddr, af); printf("naddr:<%u.%u.%u.%u> \n", QUAD_ADDR(naddr->v4)); break; Log output show that _naddr_ after translation is 10.0.0.10, but I think it must be 10.0.0.2. It seems wrong call of pf_map_addr() in pf_get_translation(), instead destinations address used source address: case PF_RDR: if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) return (NULL); It must be vvvvv if (pf_map_addr(pd->af, r, daddr, naddr, NULL, sn)) return (NULL); It bug or not? With best regards Boris Polevoy