Discussion:
divert with rdr-to not working properly
Hakan SARIMAN
2021-04-05 06:51:53 UTC
Permalink
Hello Misc,


I think divert-packet feature with NAT/NAPT is broken.

I can not reach to web server when I use divert-packet with rdr-to.

Is this a known bug or a new issue?

When I use divert-packet + rdr-to here is the situation:


# MY PF RULES

pass in log quick on pppoe0 inet proto tcp from any to (pppoe0:0) port 81
rdr-to 10.10.12.27 port 81

pass out log quick on vport12 inet proto tcp from any to 10.10.12.27 port
81 divert-packet port 700

#


firewall# tcpdump -s 246 -nettti pflog0 port 81

tcpdump: listening on pflog0, link-type PFLOG

Apr 05 09:27:06.862384 rule 1/(match) pass in on pppoe0: 192.95.4.124.60497
88.248.12.123.81: S 2356312961:2356312961(0) win 29200 <mss
1460,sackOK,timestamp 3469650726 0,nop,wscale 7> (DF)

Apr 05 09:27:06.862412 rule 2/(match) pass out on vport12:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 3469650726 0,nop,wscale 7> (DF)


Here my egress interface tcpdump outputs of my firewall:


firewall# tcpdump -s 246 -nettti pppoe0 port 81

tcpdump: listening on pppoe0, link-type PPP_ETHER

Apr 05 09:27:06.862372 PPPoE

code Session, version 1, type 1, id 0x0001, length 62

IP 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win
29200 <mss 1460,sackOK,timestamp 3469650726 0,nop,wscale 7> (DF)

Apr 05 09:27:06.863516 PPPoE

code Session, version 1, type 1, id 0x0001, length 66

IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 3569410382 3469650726> (DF)

Apr 05 09:27:07.861615 PPPoE

code Session, version 1, type 1, id 0x0001, length 62

IP 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win
29200 <mss 1460,sackOK,timestamp 3469650976 0,nop,wscale 7> (DF)

Apr 05 09:27:07.862076 PPPoE

code Session, version 1, type 1, id 0x0001, length 66

IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 3569410384 3469650976> (DF)

Apr 05 09:27:09.855052 PPPoE

code Session, version 1, type 1, id 0x0001, length 66

IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 3569410388 3469650976> (DF)

Apr 05 09:27:09.865622 PPPoE

code Session, version 1, type 1, id 0x0001, length 62

IP 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win
29200 <mss 1460,sackOK,timestamp 3469651477 0,nop,wscale 7> (DF)

Apr 05 09:27:09.866059 PPPoE

code Session, version 1, type 1, id 0x0001, length 66

IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 3569410388 3469651477> (DF)

Apr 05 09:27:13.877705 PPPoE

code Session, version 1, type 1, id 0x0001, length 62

IP 192.95.4.124.60497 > 88.248.12.123.81: S 2356312961:2356312961(0) win
29200 <mss 1460,sackOK,timestamp 3469652480 0,nop,wscale 7> (DF)

Apr 05 09:27:13.878168 PPPoE

code Session, version 1, type 1, id 0x0001, length 66

IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 3569410396 3469652480> (DF)

Apr 05 09:27:15.844984 PPPoE

code Session, version 1, type 1, id 0x0001, length 66

IP 10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 3569410400 3469652480> (DF)




I can only see SYN packets on outgoing interface





firewall# tcpdump -s 246 -nettti vport12 port 81

tcpdump: listening on vport12, link-type EN10MB

Apr 05 09:27:06.863133 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 4071340074 0,nop,wscale 7> (DF)

Apr 05 09:27:06.863414 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436484 4071340074> (DF)

Apr 05 09:27:07.861706 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 4071340324 0,nop,wscale 7> (DF)

Apr 05 09:27:07.861986 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436486 4071340324> (DF)

Apr 05 09:27:09.854954 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436490 4071340324> (DF)

Apr 05 09:27:09.865709 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 4071340825 0,nop,wscale 7> (DF)

Apr 05 09:27:09.865987 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436490 4071340825> (DF)

Apr 05 09:27:13.877798 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 4071341828 0,nop,wscale 7> (DF)

Apr 05 09:27:13.878085 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436498 4071341828> (DF)

Apr 05 09:27:15.844881 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436502 4071341828> (DF)

Apr 05 09:27:27.845083 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436526 4071341828> (DF)



This is what I see on my web server:

webserver# tcpdump -s 246 -nettti em0 port 81

tcpdump: listening on em0, link-type EN10MB

Apr 05 09:26:51.144078 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 4071340074 0,nop,wscale 7> (DF)

Apr 05 09:26:51.144167 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436484 4071340074> (DF)

Apr 05 09:26:52.142620 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 4071340324 0,nop,wscale 7> (DF)

Apr 05 09:26:52.142698 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436486 4071340324> (DF)

Apr 05 09:26:54.135720 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436490 4071340324> (DF)

Apr 05 09:26:54.146601 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 4071340825 0,nop,wscale 7> (DF)

Apr 05 09:26:54.146656 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436490 4071340825> (DF)

Apr 05 09:26:58.158670 ac:42:28:f6:e0:52 ac:42:28:86:dd:a0 0800 74:
192.95.4.124.60497 > 10.10.12.27.81: S 2356312961:2356312961(0) win 29200
<mss 1460,sackOK,timestamp 4071341828 0,nop,wscale 7> (DF)

Apr 05 09:26:58.158758 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436498 4071341828> (DF)

Apr 05 09:27:00.125608 ac:42:28:86:dd:a0 ac:42:28:f6:e0:52 0800 78:
10.10.12.27.81 > 192.95.4.124.60497: S 488425468:488425468(0) ack
2356312962 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 2730436502 4071341828> (DF)


This is output of man divert page’s example C program:


firewall# /sbin/divert_700

192.95.4.124:60497 -> 10.10.12.27:81

10.10.12.27:81 -> 192.95.4.124:60497

192.95.4.124:60497 -> 10.10.12.27:81

10.10.12.27:81 -> 192.95.4.124:60497

10.10.12.27:81 -> 192.95.4.124:60497

192.95.4.124:60497 -> 10.10.12.27:81

10.10.12.27:81 -> 192.95.4.124:60497

192.95.4.124:60497 -> 10.10.12.27:81

10.10.12.27:81 -> 192.95.4.124:60497

10.10.12.27:81 -> 192.95.4.124:60497

10.10.12.27:81 -> 192.95.4.124:60497



Here my dmesg output:


OpenBSD 6.9-beta (GENERIC.MP) #396: Thu Mar 11 19:15:56 MST 2021

***@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

real mem = 4248231936 (4051MB)

avail mem = 4104110080 (3913MB)

random: good seed from bootblocks

mpath0 at root

scsibus0 at mpath0: 256 targets

mainbus0 at root

bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f310000 (47 entries)

bios0: vendor American Megatrends Inc. version "R1.00" date 01/31/2019

bios0: Caswell CAN-0261

acpi0 at bios0: ACPI 6.1

acpi0: sleep states S0 S4 S5

acpi0: tables DSDT FACP FPDT FIDT TCPA MCFG WDAT APIC BDAT HPET UEFI SSDT
DMAR SPCR HEST BERT ERST EINJ WSMT

acpi0: wakeup devices PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) PEX5(S4)
PEX6(S4) PEX7(S4) XHC1(S4) LAN0(S4) LAN1(S4) LAN2(S4) LAN3(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits

acpimcfg0 at acpi0

acpimcfg0: addr 0xe0000000, bus 0-255

acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat

cpu0 at mainbus0: apid 12 (boot processor)

cpu0: Intel(R) Atom(TM) CPU C3338 @ 1.50GHz, 1500.28 MHz, 06-5f-01

cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES

cpu0: 2MB 64b/line 16-way L2 cache

cpu0: smt 0, core 6, package 0

mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges

cpu0: apic clock running at 25MHz

cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE

cpu1 at mainbus0: apid 24 (application processor)

cpu1: Intel(R) Atom(TM) CPU C3338 @ 1.50GHz, 1500.02 MHz, 06-5f-01

cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES

cpu1: 2MB 64b/line 16-way L2 cache

cpu1: smt 0, core 12, package 0

ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins

acpihpet0 at acpi0: 23999999 Hz

acpiprt0 at acpi0: bus 0 (PCI0)

acpiprt1 at acpi0: bus 1 (PEX0)

acpiprt2 at acpi0: bus 2 (PEX1)

acpiprt3 at acpi0: bus 3 (PEX2)

acpiprt4 at acpi0: bus 4 (PEX3)

acpiprt5 at acpi0: bus -1 (PEX4)

acpiprt6 at acpi0: bus 5 (PEX5)

acpiprt7 at acpi0: bus -1 (PEX6)

acpiprt8 at acpi0: bus -1 (PEX7)

acpiprt9 at acpi0: bus -1 (VRP2)

acpiprt10 at acpi0: bus 6 (VRP0)

acpiprt11 at acpi0: bus 7 (VRP1)

acpipci0 at acpi0 PCI0: 0x00000010 0x00000011 0x00000000

"PNP0003" at acpi0 not configured

acpicmos0 at acpi0

"PNP0C33" at acpi0 not configured

tpm0 at acpi0 TPM_ addr 0xfed40000/0x5000, device 0x001a15d1 rev 0x10

acpicpu0 at acpi0: C1(@1 halt!)

acpicpu1 at acpi0: C1(@1 halt!)

acpitz0 at acpi0: critical temperature is 95 degC

pci0 at mainbus0 bus 0

pchb0 at pci0 dev 0 function 0 "Intel C3000 Host" rev 0x11

pchb1 at pci0 dev 4 function 0 "Intel C3000 GLREG" rev 0x11

"Intel C3000 RCEC" rev 0x11 at pci0 dev 5 function 0 not configured

ppb0 at pci0 dev 9 function 0 "Intel C3000 PCIE" rev 0x11

pci1 at ppb0 bus 1

em0 at pci1 dev 0 function 0 "Intel I211" rev 0x03: msi, address
08:35:71:a9:ce:a0

ppb1 at pci0 dev 10 function 0 "Intel C3000 PCIE" rev 0x11

pci2 at ppb1 bus 2

em1 at pci2 dev 0 function 0 "Intel I211" rev 0x03: msi, address
08:35:71:a9:ce:a1

ppb2 at pci0 dev 11 function 0 "Intel C3000 PCIE" rev 0x11

pci3 at ppb2 bus 3

em2 at pci3 dev 0 function 0 "Intel I211" rev 0x03: msi, address
08:35:71:a9:ce:a2

ppb3 at pci0 dev 12 function 0 "Intel C3000 PCIE" rev 0x11

pci4 at ppb3 bus 4

em3 at pci4 dev 0 function 0 "Intel I211" rev 0x03: msi, address
08:35:71:a9:ce:a3

ppb4 at pci0 dev 15 function 0 "Intel C3000 PCIE" rev 0x11

pci5 at ppb4 bus 5

"Intel C3000 SMBus" rev 0x11 at pci0 dev 18 function 0 not configured

ahci0 at pci0 dev 20 function 0 "Intel C3000 AHCI" rev 0x11: msi, AHCI 1.3.1

ahci0: PHY offline on port 0

ahci0: port 7: 6.0Gb/s

scsibus1 at ahci0: 32 targets

sd0 at scsibus1 targ 7 lun 0: <ATA, mSATA mini 3ME4, L176>
naa.502b2a201d1c1b1a

sd0: 30533MB, 512 bytes/sector, 62533296 sectors, thin

xhci0 at pci0 dev 21 function 0 "Intel C3000 xHCI" rev 0x11: msi, xHCI 1.0

usb0 at xhci0: USB revision 3.0

uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev
3.00/1.00 addr 1

ppb5 at pci0 dev 22 function 0 "Intel C3000 PCIE" rev 0x11

pci6 at ppb5 bus 6

ix0 at pci6 dev 0 function 0 "Intel X553 SGMII" rev 0x11, msix, 2 queues,
address 08:35:71:a9:ce:9e

ppb6 at pci0 dev 23 function 0 "Intel C3000 PCIE" rev 0x11

pci7 at ppb6 bus 7

ix1 at pci7 dev 0 function 0 "Intel X553 SGMII" rev 0x11, msix, 2 queues,
address 08:35:71:a9:ce:9f

"Intel C3000 ME HECI" rev 0x11 at pci0 dev 24 function 0 not configured

pcib0 at pci0 dev 31 function 0 "Intel C3000 LPC" rev 0x11

"Intel C3000 PMC" rev 0x11 at pci0 dev 31 function 2 not configured

"Intel C3000 SMBus" rev 0x11 at pci0 dev 31 function 4 not configured

"Intel C3000 SPI" rev 0x11 at pci0 dev 31 function 5 not configured

isa0 at pcib0

isadma0 at isa0

com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo

com0: console

com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

pcppi0 at isa0 port 0x61

spkr0 at pcppi0

wbsio0 at isa0 port 0x2e/2: NCT6779D rev 0x62

lm1 at wbsio0 port 0xa30/8: NCT6779D

vmm0 at mainbus0: VMX/EPT

efifb at mainbus0 not configured

umsm0 at uhub0 port 7 configuration 1 interface 0 "Sierra Wireless,
Incorporated Sierra Wireless EM7455 Qualcomm\M-. Snapdragon? X7 LTE-A" rev
3.00/0.06 addr 2

ucom0 at umsm0

umsm1 at uhub0 port 7 configuration 1 interface 2 "Sierra Wireless,
Incorporated Sierra Wireless EM7455 Qualcomm\M-. Snapdragon? X7 LTE-A" rev
3.00/0.06 addr 2

ucom1 at umsm1

umsm2 at uhub0 port 7 configuration 1 interface 3 "Sierra Wireless,
Incorporated Sierra Wireless EM7455 Qualcomm\M-. Snapdragon? X7 LTE-A" rev
3.00/0.06 addr 2

ucom2 at umsm2

umsm3 at uhub0 port 7 configuration 1 interface 8 "Sierra Wireless,
Incorporated Sierra Wireless EM7455 Qualcomm\M-. Snapdragon? X7 LTE-A" rev
3.00/0.06 addr 2

ucom3 at umsm3

vscsi0 at root

scsibus2 at vscsi0: 256 targets

softraid0 at root

scsibus3 at softraid0: 256 targets

root on sd0a (3ea7f5a674455929.a) swap on sd0b dump on sd0b
--
Saygılarımla,

Hakan SARIMAN
David Gwynne
2021-04-07 13:11:04 UTC
Permalink
Post by Hakan SARIMAN
Hello Misc,
I think divert-packet feature with NAT/NAPT is broken.
I can not reach to web server when I use divert-packet with rdr-to.
Is this a known bug or a new issue?
There's no other options? Just those two?

I think it's been around for a long time, but no one's hurt themselves
with it because they haven't combined nat/rdr with divert-packet
yet.

I believe the diff below will fix the bug. There's some discussion going
on behind the scenes about whether this is the right fix though.
Post by Hakan SARIMAN
# MY PF RULES
pass in log quick on pppoe0 inet proto tcp from any to (pppoe0:0) port 81
rdr-to 10.10.12.27 port 81
pass out log quick on vport12 inet proto tcp from any to 10.10.12.27 port
81 divert-packet port 700
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.1112
diff -u -p -r1.1112 pf.c
--- pf.c 23 Feb 2021 11:43:40 -0000 1.1112
+++ pf.c 5 Apr 2021 10:16:31 -0000
@@ -6848,8 +6848,10 @@ pf_test(sa_family_t af, int fwdir, struc
if ((*m0)->m_pkthdr.pf.flags & PF_TAG_GENERATED)
return (PF_PASS);

- if ((*m0)->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET)
+ if ((*m0)->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET) {
+ CLR((*m0)->m_pkthdr.pf.flags, PF_TAG_DIVERTED_PACKET);
return (PF_PASS);
+ }

if ((*m0)->m_pkthdr.pf.flags & PF_TAG_REFRAGMENTED) {
(*m0)->m_pkthdr.pf.flags &= ~PF_TAG_REFRAGMENTED;
Hakan SARIMAN
2021-04-08 05:38:55 UTC
Permalink
David,
I tried the diff above and it worked. Thank you so much..
Post by David Gwynne
Post by Hakan SARIMAN
Hello Misc,
I think divert-packet feature with NAT/NAPT is broken.
I can not reach to web server when I use divert-packet with rdr-to.
Is this a known bug or a new issue?
There's no other options? Just those two?
I think it's been around for a long time, but no one's hurt themselves
with it because they haven't combined nat/rdr with divert-packet
yet.
I believe the diff below will fix the bug. There's some discussion going
on behind the scenes about whether this is the right fix though.
Post by Hakan SARIMAN
# MY PF RULES
pass in log quick on pppoe0 inet proto tcp from any to (pppoe0:0) port 81
rdr-to 10.10.12.27 port 81
pass out log quick on vport12 inet proto tcp from any to 10.10.12.27 port
81 divert-packet port 700
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.1112
diff -u -p -r1.1112 pf.c
--- pf.c 23 Feb 2021 11:43:40 -0000 1.1112
+++ pf.c 5 Apr 2021 10:16:31 -0000
@@ -6848,8 +6848,10 @@ pf_test(sa_family_t af, int fwdir, struc
if ((*m0)->m_pkthdr.pf.flags & PF_TAG_GENERATED)
return (PF_PASS);
- if ((*m0)->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET)
+ if ((*m0)->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET) {
+ CLR((*m0)->m_pkthdr.pf.flags, PF_TAG_DIVERTED_PACKET);
return (PF_PASS);
+ }
if ((*m0)->m_pkthdr.pf.flags & PF_TAG_REFRAGMENTED) {
(*m0)->m_pkthdr.pf.flags &= ~PF_TAG_REFRAGMENTED;
--
Saygılarımla,

Hakan SARIMAN
Loading...