From owner-freebsd-pf@freebsd.org Sat May 21 19:24:30 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E31FEB44D3A for ; Sat, 21 May 2016 19:24:30 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A7DFE180A for ; Sat, 21 May 2016 19:24:30 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b4CVL-00053b-5P for freebsd-pf@freebsd.org; Sat, 21 May 2016 22:24:07 +0300 To: freebsd-pf@freebsd.org From: Max Subject: Bug 201519 Message-ID: Date: Sat, 21 May 2016 22:24:06 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 19:24:31 -0000 Hello, I have patched and tested "case IPPROTO_UDP". It works. Other cases should work too I think. It's against releng/10.3 --- sys/netpfil/pf/pf.c.orig 2016-05-21 17:57:29.420602000 +0300 +++ sys/netpfil/pf/pf.c 2016-05-21 18:01:09.119724000 +0300 @@ -4866,8 +4866,7 @@ pf_test_state_icmp(struct pf_state **sta &nk->addr[pd2.didx], pd2.af) || nk->port[pd2.didx] != uh.uh_dport) pf_change_icmp(pd2.dst, &uh.uh_dport, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], + saddr, &nk->addr[pd2.didx], nk->port[pd2.didx], &uh.uh_sum, pd2.ip_sum, icmpsum, pd->ip_sum, 1, pd2.af); Before: # tcpdump -vni em1 'vlan and src net 10.0.0.0/8' tcpdump: WARNING: em1: no IPv4 address assigned tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 18:26:53.523646 IP (tos 0x0, ttl 63, id 36181, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 65501 unreachable, length 36 IP (tos 0x0, ttl 61, id 27788, offset 0, flags [none], proto UDP (17), length 150) AA.AA.AA.AA.53 > XX.XX.XX.XX.65501: [|domain] 18:26:53.523657 IP (tos 0x0, ttl 63, id 36182, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 51397 unreachable, length 36 IP (tos 0x0, ttl 61, id 27789, offset 0, flags [none], proto UDP (17), length 150) AA.AA.AA.AA.53 > XX.XX.XX.XX.51397: [|domain] 18:26:56.629648 IP (tos 0x0, ttl 63, id 36456, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 65254 unreachable, length 36 IP (tos 0x88, ttl 62, id 13875, offset 0, flags [none], proto UDP (17), length 137) CC.CC.CC.CC.53 > YY.YY.YY.YY.65254: [|domain] 18:27:27.746093 IP (tos 0x0, ttl 63, id 38864, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > BB.BB.BB.BB: ICMP XX.XX.XX.XX udp port 62079 unreachable, length 36 IP (tos 0x0, ttl 61, id 429, offset 0, flags [none], proto UDP (17), length 150) BB.BB.BB.BB.53 > XX.XX.XX.XX.62079: [|domain] 18:27:27.746104 IP (tos 0x0, ttl 63, id 38865, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > BB.BB.BB.BB: ICMP XX.XX.XX.XX udp port 51628 unreachable, length 36 IP (tos 0x0, ttl 61, id 428, offset 0, flags [none], proto UDP (17), length 150) BB.BB.BB.BB.53 > XX.XX.XX.XX.51628: [|domain] 18:29:19.805568 IP (tos 0x0, ttl 63, id 42754, offset 0, flags [none], proto ICMP (1), length 56) 10.1.0.3 > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 52016 unreachable, length 36 IP (tos 0x88, ttl 62, id 13974, offset 0, flags [none], proto UDP (17), length 151) CC.CC.CC.CC.53 > YY.YY.YY.YY.52016: [|domain] After: # date ; tcpdump -vni em1 'vlan and src net 10.0.0.0/8' ; date Sat May 21 18:40:08 MSK 2016 tcpdump: WARNING: em1: no IPv4 address assigned tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 80373 packets received by filter 0 packets dropped by kernel Sat May 21 18:54:53 MSK 2016 # tcpdump -vni em1 'vlan and icmp[icmptype] = icmp-unreach' tcpdump: WARNING: em1: no IPv4 address assigned tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 19:11:39.539336 IP (tos 0x0, ttl 63, id 46008, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 51264 unreachable, length 36 IP (tos 0x88, ttl 62, id 15144, offset 0, flags [none], proto UDP (17), length 463) BB.BB.BB.BB.53 > YY.YY.YY.YY.51264: [|domain] 19:11:40.063673 IP (tos 0x0, ttl 63, id 46031, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 54326 unreachable, length 36 IP (tos 0x88, ttl 62, id 15145, offset 0, flags [none], proto UDP (17), length 463) BB.BB.BB.BB.53 > YY.YY.YY.YY.54326: [|domain] 19:12:13.830491 IP (tos 0x0, ttl 63, id 47980, offset 0, flags [none], proto ICMP (1), length 56) XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 50234 unreachable, length 36 IP (tos 0x0, ttl 61, id 14958, offset 0, flags [none], proto UDP (17), length 152) AA.AA.AA.AA.53 > XX.XX.XX.XX.50234: [|domain] 19:12:13.830502 IP (tos 0x0, ttl 63, id 47981, offset 0, flags [none], proto ICMP (1), length 56) XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 56144 unreachable, length 36 IP (tos 0x0, ttl 61, id 14959, offset 0, flags [none], proto UDP (17), length 141) AA.AA.AA.AA.53 > XX.XX.XX.XX.56144: [|domain] 19:12:13.830512 IP (tos 0x0, ttl 63, id 47982, offset 0, flags [none], proto ICMP (1), length 56) XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 51648 unreachable, length 36 IP (tos 0x0, ttl 61, id 14960, offset 0, flags [none], proto UDP (17), length 152) AA.AA.AA.AA.53 > XX.XX.XX.XX.51648: [|domain] 19:13:01.643129 IP (tos 0x0, ttl 63, id 50328, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 57306 unreachable, length 36 IP (tos 0x88, ttl 62, id 15226, offset 0, flags [none], proto UDP (17), length 152) CC.CC.CC.CC.53 > YY.YY.YY.YY.57306: [|domain] 19:13:31.672915 IP (tos 0x0, ttl 63, id 51139, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 60908 unreachable, length 36 IP (tos 0x88, ttl 62, id 15253, offset 0, flags [none], proto UDP (17), length 154) CC.CC.CC.CC.53 > YY.YY.YY.YY.60908: [|domain] 19:13:32.115936 IP (tos 0x0, ttl 63, id 51186, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 54767 unreachable, length 36 IP (tos 0x88, ttl 62, id 15254, offset 0, flags [none], proto UDP (17), length 154) CC.CC.CC.CC.53 > YY.YY.YY.YY.54767: [|domain] 19:13:32.995098 IP (tos 0x0, ttl 63, id 51209, offset 0, flags [none], proto ICMP (1), length 56) YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 58573 unreachable, length 36 IP (tos 0x88, ttl 62, id 15258, offset 0, flags [none], proto UDP (17), length 149) BB.BB.BB.BB.53 > YY.YY.YY.YY.58573: [|domain]