Date: Tue, 2 Aug 2005 13:51:15 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org, Boris Polevoy <vapcom@mail.ru> Subject: Re: PF rdr bitmask BUG Message-ID: <200508021351.22789.max@love2party.net> In-Reply-To: <E1DzuSI-0000Lt-00.vapcom-mail-ru@f41.mail.ru> References: <E1DzuSI-0000Lt-00.vapcom-mail-ru@f41.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Tuesday 02 August 2005 12:57, Boris Polevoy wrote:
> Hello All!
>
> I have some problem with rdr rule in pf.
>
> Test configuration:
>
> +---------+ +---------+ +---------+
>
> |client |192.168.3.10/24 |firewall |10.0.0.1/24 |server |
> | fxp0+----------------->+fxp0 fxp1+------------------>+fxp0 |
> |
> | | 192.168.3.2/24| | 10.0.0.2/24| |
>
> +---------+ 192.168.3.3/24+---------+ 10.0.0.3/32+---------+
>
> client and firewall boxes under FreeBSD 5.4-RELEASE, server under FreeBSD
> 4.7-RELEASE. On firewall interface fxp0 have two aliases: 192.168.3.2/24
> 192.168.3.3/24, on server box fxp0 have aliases 10.0.0.2/24, 10.0.0.3/32
> for test redirection.
>
> Rules in pf on firewall:
> rdr on fxp0 inet from any to 192.168.3.0/24 -> 10.0.0.0/24 bitmask
> pass all
>
> Test command on client:
> ping -c4 192.168.3.2
>
> Ping do not work, packets from firewall go to wrong addresses.
>
> I have add log print in pf code in function pf.c/pf_map_addr():
>
> case PF_POOL_BITMASK:
> #define QUAD_ADDR(_addr) \
> ((uint8_t *) &(_addr))[0], ((uint8_t *) &(_addr))[1], \
> ((uint8_t *) &(_addr))[2], ((uint8_t *) &(_addr))[3]
>
> printf("raddr:<%u.%u.%u.%u> rmask:<%u.%u.%u.%u> saddr:<%u.%u.%u.%u>\n",
> QUAD_ADDR(raddr->v4), QUAD_ADDR(rmask->v4),
> QUAD_ADDR(saddr->v4)); PF_POOLMASK(naddr, raddr, rmask, saddr, af);
> printf("naddr:<%u.%u.%u.%u> \n", QUAD_ADDR(naddr->v4));
> break;
>
> Log output show that _naddr_ after translation is 10.0.0.10, but I think it
> must be 10.0.0.2.
>
> It seems wrong call of pf_map_addr() in pf_get_translation(),
> instead destinations address used source address:
> case PF_RDR:
> if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
> return (NULL);
>
> It must be vvvvv
> if (pf_map_addr(pd->af, r, daddr, naddr, NULL, sn))
> return (NULL);
>
> It bug or not?
From a quick first look your analysis seems to be correct - according to
pf.conf(5) bitmask should use the destination address for rdr. However, the
proposed fix will not work as it breaks (at least) the sticky address option.
Maybe it's easiest to fix the host part in pf_get_translation after the
pf_map_addr call? This would require some amount of code duplication,
though.
I will be looking for a better fix during/after the weekend.
--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
iD8DBQBC7146XyyEoT62BG0RAnN9AJ4434ClmYYK6GIsrRDoj5fXzumV2gCfQYgb
vYMZ3ktdfjaGzh64ZCM29ZQ=
=oKBW
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508021351.22789.max>