>Synopsis: pf nat-to doesn't match a crafted packet
>Category: system
>Environment:
System : OpenBSD 7.3
Details : OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar 25 14:20:25 MDT
2023
dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Architecture: OpenBSD.arm64
Machine : arm64
>Description:
I was testing a seemingly valid Internet packet going out my gateway
but the pf firewall doesn't match nat-to to this one for some reason. I'm
possibly overlooking something but every other packet exiting my gateway is
nat'ed. What causes this? How can this be exploited?
>How-To-Repeat:
Here is the tcpdump from the host 1 hop behind the NAT router:
16:59:08.438082 192.168.177.13 > 49.12.42.182: icmp: host 7.198.187.211
unreachable [icmp cksum ok] for 11.69.44.241.52699 > 7.198.187.211.55672: udp
51351 [tos 0x9c] (ttl 147, id 17124, len 51419, optlen=40 NOP RR{39}=
RR{#106.155.117.54 233.26.79.111 129.127.249.242 60.117.146.16 179.39.29.224
213.65.49.78 0.16.45.109 252.168.188.0 123.108.138.224}) (ttl 64, id 65443, len
96)
0000: 4500 0060 ffa3 0000 4001 ad81 c0a8 b10d E..`....@.......
0010: 310c 2ab6 0301 55aa 0000 0000 4f9c c8db 1.*...U.....O...
0020: 42e4 0000 9311 c756 0b45 2cf1 07c6 bbd3 B......V.E,.....
0030: 0107 2704 6a9b 7536 e91a 4f6f 817f f9f2 ..'.j.u6..Oo....
0040: 3c75 9210 b327 1de0 d541 314e 0010 2d6d <u...'...A1N..-m
0050: fca8 bc00 7b6c 8ae0 cddb d978 0000 0000 ....{l.....x....
and here is the tcpdump on the pppoe interface:
16:59:08.440403 192.168.177.13 > 49.12.42.182: icmp: host 7.198.187.211 unreacha
ble [icmp cksum ok] (ttl 63, id 65443, len 96)
Here is the relevant anchor rules I have:
match out on $ext_if inet from <rfc1918> to any nat-to ($ext_if)
and:
table <rfc1918> const { 10/8, 172.16/12, 192.168/16 }
Why did pf not translate this? ... that's kinda kinky.
>Fix:
Not known.
dmesg:
OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar 25 14:20:25 MDT 2023
dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
real mem = 8432840704 (8042MB)
avail mem = 8139239424 (7762MB)
random: good seed from bootblocks
mainbus0 at root: ACPI
psci0 at mainbus0: PSCI 1.1, SMCCC 1.2
cpu0 at mainbus0 mpidr 0: ARM Cortex-A72 r0p3
cpu0: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
cpu0: 1024KB 64b/line 16-way L2 cache
cpu0: CRC32,ASID16
cpu1 at mainbus0 mpidr 1: ARM Cortex-A72 r0p3
cpu1: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
cpu1: 1024KB 64b/line 16-way L2 cache
cpu1: CRC32,ASID16
cpu2 at mainbus0 mpidr 2: ARM Cortex-A72 r0p3
cpu2: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
cpu2: 1024KB 64b/line 16-way L2 cache
cpu2: CRC32,ASID16
cpu3 at mainbus0 mpidr 3: ARM Cortex-A72 r0p3
cpu3: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
cpu3: 1024KB 64b/line 16-way L2 cache
cpu3: CRC32,ASID16
efi0 at mainbus0: UEFI 2.7
efi0: https://github.com/pftf/RPi4 rev 0x10000
smbios0 at efi0: SMBIOS 3.3.0
smbios0: vendor https://github.com/pftf/RPi4 version "UEFI Firmware v1.21" date
11/13/2020
smbios0: Raspberry Pi Foundation Raspberry Pi 4 Model B
apm0 at mainbus0
ampintc0 at mainbus0 nirq 256, ncpu 4 ipi: 0, 1, 2: "interrupt-controller"
agtimer0 at mainbus0: 54000 kHz
acpi0 at mainbus0: ACPI 6.3
acpi0: sleep states
acpi0: tables DSDT FACP CSRT DBG2 GTDT IORT APIC PPTT BGRT
acpi0: wakeup devices
acpiiort0 at acpi0
"BCM2849" at acpi0 not configured
"BCM2835" at acpi0 not configured
"BCM2854" at acpi0 not configured
"ACPI0004" at acpi0 not configured
xhci0 at acpi0 XHC0 addr 0x600000000/0x1000 irq 175, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev 3.00/1.00
addr 1
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"ACPI0004" at acpi0 not configured
"BCM2848" at acpi0 not configured
"BCM2850" at acpi0 not configured
"BCM2856" at acpi0 not configured
"BCM2845" at acpi0 not configured
"BCM2841" at acpi0 not configured
"BCM2841" at acpi0 not configured
"BCM2838" at acpi0 not configured
"BCM2839" at acpi0 not configured
"BCM2844" at acpi0 not configured
pluart0 at acpi0 URT0 addr 0xfe201000/0x1000 irq 153
"BCM2836" at acpi0 not configured
"BCM2EA6" at acpi0 not configured
"MSFT8000" at acpi0 not configured
sdhc0 at acpi0 SDC1 addr 0xfe300000/0x100 irq 158
sdhc0: base clock frequency unknown
"BCM2855" at acpi0 not configured
bse0 at acpi0 ETH0 addr 0xfd580000/0x10000 irq 189: address dc:a6:32:cc:db:a7
brgphy0 at bse0 phy 1: BCM54210E 10/100/1000baseT PHY, rev. 2
"PNP0C06" at acpi0 not configured
acpitz0 at acpi0: critical temperature is 90 degC
simplefb0 at mainbus0: 640x480, 32bpp
wsdisplay0 at simplefb0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
uhub1 at uhub0 port 1 configuration 1 interface 0 "VIA Labs USB2.0 Hub" rev
2.10/4.21 addr 2
uhidev0 at uhub1 port 4 configuration 1 interface 0 "APC Back-UPS ES 700G
FW:871.O4 .I USB FW:O4" rev 1.10/1.06 addr 3
uhidev0: iclass 3/0, 146 report ids
upd0 at uhidev0
uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1
uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1
uhid2 at uhidev0 reportid 3: input=0, output=0, feature=1
uhid3 at uhidev0 reportid 4: input=0, output=0, feature=1
uhid4 at uhidev0 reportid 5: input=0, output=0, feature=1
uhid5 at uhidev0 reportid 6: input=1, output=0, feature=1
uhid6 at uhidev0 reportid 7: input=0, output=0, feature=2
uhid7 at uhidev0 reportid 8: input=0, output=0, feature=2
uhid8 at uhidev0 reportid 9: input=0, output=0, feature=2
uhid9 at uhidev0 reportid 10: input=0, output=0, feature=1
uhid10 at uhidev0 reportid 11: input=0, output=0, feature=1
uhid11 at uhidev0 reportid 12: input=3, output=0, feature=3
uhid12 at uhidev0 reportid 13: input=0, output=0, feature=1
uhid13 at uhidev0 reportid 14: input=0, output=0, feature=1
uhid14 at uhidev0 reportid 15: input=0, output=0, feature=1
uhid15 at uhidev0 reportid 16: input=0, output=0, feature=1
uhid16 at uhidev0 reportid 17: input=0, output=0, feature=1
uhid17 at uhidev0 reportid 18: input=0, output=0, feature=1
uhid18 at uhidev0 reportid 23: input=0, output=0, feature=2
uhid19 at uhidev0 reportid 24: input=0, output=0, feature=1
uhid20 at uhidev0 reportid 28: input=0, output=0, feature=3
uhid21 at uhidev0 reportid 32: input=0, output=0, feature=2
uhid22 at uhidev0 reportid 34: input=0, output=0, feature=1
uhid23 at uhidev0 reportid 35: input=0, output=0, feature=2
uhid24 at uhidev0 reportid 36: input=0, output=0, feature=2
uhid25 at uhidev0 reportid 37: input=0, output=0, feature=2
uhid26 at uhidev0 reportid 38: input=0, output=0, feature=2
uhid27 at uhidev0 reportid 39: input=0, output=0, feature=1
uhid28 at uhidev0 reportid 40: input=0, output=0, feature=4
uhid29 at uhidev0 reportid 48: input=0, output=0, feature=2
uhid30 at uhidev0 reportid 49: input=0, output=0, feature=2
uhid31 at uhidev0 reportid 50: input=0, output=0, feature=2
uhid32 at uhidev0 reportid 51: input=0, output=0, feature=2
uhid33 at uhidev0 reportid 52: input=0, output=0, feature=1
uhid34 at uhidev0 reportid 53: input=0, output=0, feature=1
uhid35 at uhidev0 reportid 54: input=0, output=0, feature=1
uhid36 at uhidev0 reportid 64: input=0, output=0, feature=1
uhid37 at uhidev0 reportid 65: input=0, output=0, feature=2
uhid38 at uhidev0 reportid 80: input=0, output=0, feature=1
uhid39 at uhidev0 reportid 81: input=0, output=0, feature=1
uhid40 at uhidev0 reportid 96: input=0, output=0, feature=2
uhid41 at uhidev0 reportid 97: input=0, output=0, feature=1
uhid42 at uhidev0 reportid 98: input=0, output=0, feature=4
uhid43 at uhidev0 reportid 120: input=0, output=0, feature=1
uhid44 at uhidev0 reportid 121: input=0, output=0, feature=1
uhid45 at uhidev0 reportid 122: input=0, output=0, feature=4
uhid46 at uhidev0 reportid 123: input=0, output=0, feature=2
uhid47 at uhidev0 reportid 124: input=0, output=0, feature=1
uhid48 at uhidev0 reportid 125: input=0, output=0, feature=1
uhid49 at uhidev0 reportid 126: input=0, output=0, feature=1
uhid50 at uhidev0 reportid 127: input=0, output=0, feature=1
uhid51 at uhidev0 reportid 140: input=0, output=0, feature=1
uhid52 at uhidev0 reportid 141: input=0, output=0, feature=1
uhid53 at uhidev0 reportid 142: input=0, output=0, feature=1
uhid54 at uhidev0 reportid 143: input=0, output=0, feature=1
uhid55 at uhidev0 reportid 144: input=0, output=0, feature=1
uhid56 at uhidev0 reportid 145: input=0, output=0, feature=2
uhid57 at uhidev0 reportid 146: input=0, output=0, feature=2
umass0 at uhub0 port 3 configuration 1 interface 0 "Samsung Flash Drive FIT"
rev 3.10/11.00 addr 4
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0: <Samsung, Flash Drive FIT, 1100> removable
serial.090c1000521110001360
sd0: 244752MB, 512 bytes/sector, 501253132 sectors
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on sd0a (081866428dff49a4.a) swap on sd0b dump on sd0b
WARNING: / was not properly unmounted
WARNING: bad clock chip time
WARNING: CHECK AND RESET THE DATE!
pppoe0: received unexpected PADO
