From owner-freebsd-pf@FreeBSD.ORG  Tue Aug  2 11:51:34 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 113A416A41F;
	Tue,  2 Aug 2005 11:51:34 +0000 (GMT)
	(envelope-from max@love2party.net)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.188])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6D15C43D46;
	Tue,  2 Aug 2005 11:51:31 +0000 (GMT)
	(envelope-from max@love2party.net)
Received: from p54A3E52D.dip.t-dialin.net [84.163.229.45]
	(helo=donor.laier.local)
	by mrelayeu.kundenserver.de with ESMTP (Nemesis),
	id 0MKwpI-1DzvIv2QdW-00063V; Tue, 02 Aug 2005 13:51:29 +0200
From: Max Laier <max@love2party.net>
To: freebsd-pf@freebsd.org,
 Boris Polevoy <vapcom@mail.ru>
Date: Tue, 2 Aug 2005 13:51:15 +0200
User-Agent: KMail/1.8
References: <E1DzuSI-0000Lt-00.vapcom-mail-ru@f41.mail.ru>
In-Reply-To: <E1DzuSI-0000Lt-00.vapcom-mail-ru@f41.mail.ru>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart4278676.AOHhZT7JP0";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200508021351.22789.max@love2party.net>
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	login:61c499deaeeba3ba5be80f48ecc83056
Cc: 
Subject: Re: PF rdr bitmask BUG
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2005 11:51:34 -0000

--nextPart4278676.AOHhZT7JP0
Content-Type: text/plain;
  charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Tuesday 02 August 2005 12:57, Boris Polevoy wrote:
> Hello All!
>
> I have some problem with rdr rule in pf.
>
> Test configuration:
>
> +---------+                  +---------+                   +---------+
>
> |client   |192.168.3.10/24   |firewall |10.0.0.1/24        |server   |
> |     fxp0+----------------->+fxp0 fxp1+------------------>+fxp0     |
> |
> |         |    192.168.3.2/24|         |        10.0.0.2/24|         |
>
> +---------+    192.168.3.3/24+---------+        10.0.0.3/32+---------+
>
> client and firewall boxes under FreeBSD 5.4-RELEASE, server under FreeBSD
> 4.7-RELEASE. On firewall interface fxp0 have two aliases: 192.168.3.2/24
> 192.168.3.3/24, on server box fxp0 have aliases 10.0.0.2/24, 10.0.0.3/32
> for test redirection.
>
> Rules in pf on firewall:
>   rdr on fxp0 inet from any to 192.168.3.0/24 -> 10.0.0.0/24 bitmask
>   pass all
>
> Test command on client:
>   ping -c4 192.168.3.2
>
> Ping do not work, packets from firewall go to wrong addresses.
>
> I have add log print in pf code in function pf.c/pf_map_addr():
>
>   case PF_POOL_BITMASK:
>     #define QUAD_ADDR(_addr)                                \
>       ((uint8_t *) &(_addr))[0], ((uint8_t *) &(_addr))[1], \
>       ((uint8_t *) &(_addr))[2], ((uint8_t *) &(_addr))[3]
>
>     printf("raddr:<%u.%u.%u.%u> rmask:<%u.%u.%u.%u> saddr:<%u.%u.%u.%u>\n=
",
>            QUAD_ADDR(raddr->v4), QUAD_ADDR(rmask->v4),
> QUAD_ADDR(saddr->v4)); PF_POOLMASK(naddr, raddr, rmask, saddr, af);
>     printf("naddr:<%u.%u.%u.%u> \n", QUAD_ADDR(naddr->v4));
>     break;
>
> Log output show that _naddr_ after translation is 10.0.0.10, but I think =
it
> must be 10.0.0.2.
>
> It seems wrong call of pf_map_addr() in pf_get_translation(),
> instead destinations address used source address:
> case PF_RDR:
>         if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
>                 return (NULL);
>
> It must be                         vvvvv
>         if (pf_map_addr(pd->af, r, daddr, naddr, NULL, sn))
>                 return (NULL);
>
> It bug or not?

=46rom a quick first look your analysis seems to be correct - according to=
=20
pf.conf(5) bitmask should use the destination address for rdr.  However, th=
e=20
proposed fix will not work as it breaks (at least) the sticky address optio=
n.

Maybe it's easiest to fix the host part in pf_get_translation after the=20
pf_map_addr call?  This would require some amount of code duplication,=20
though.

I will be looking for a better fix during/after the weekend.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart4278676.AOHhZT7JP0
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQBC7146XyyEoT62BG0RAnN9AJ4434ClmYYK6GIsrRDoj5fXzumV2gCfQYgb
vYMZ3ktdfjaGzh64ZCM29ZQ=
=oKBW
-----END PGP SIGNATURE-----

--nextPart4278676.AOHhZT7JP0--