Hello,
I have patched and tested "case IPPROTO_UDP". It works. Other cases
should work too I think.
It's against releng/10.3
--- sys/netpfil/pf/pf.c.orig 2016-05-21 17:57:29.420602000 +0300
+++ sys/netpfil/pf/pf.c 2016-05-21 18:01:09.119724000 +0300
@@ -4866,8 +4866,7 @@ pf_test_state_icmp(struct pf_state **sta
&nk->addr[pd2.didx], pd2.af) ||
nk->port[pd2.didx] != uh.uh_dport)
pf_change_icmp(pd2.dst,
&uh.uh_dport,
- NULL, /* XXX Inbound NAT? */
- &nk->addr[pd2.didx],
+ saddr, &nk->addr[pd2.didx],
nk->port[pd2.didx], &uh.uh_sum,
pd2.ip_sum, icmpsum,
pd->ip_sum, 1, pd2.af);
Before:
# tcpdump -vni em1 'vlan and src net 10.0.0.0/8'
tcpdump: WARNING: em1: no IPv4 address assigned
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size
65535 bytes
18:26:53.523646 IP (tos 0x0, ttl 63, id 36181, offset 0, flags [none],
proto ICMP (1), length 56)
10.1.0.3 > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 65501
unreachable, length 36
IP (tos 0x0, ttl 61, id 27788, offset 0, flags [none], proto
UDP (17), length 150)
AA.AA.AA.AA.53 > XX.XX.XX.XX.65501: [|domain]
18:26:53.523657 IP (tos 0x0, ttl 63, id 36182, offset 0, flags [none],
proto ICMP (1), length 56)
10.1.0.3 > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 51397
unreachable, length 36
IP (tos 0x0, ttl 61, id 27789, offset 0, flags [none], proto
UDP (17), length 150)
AA.AA.AA.AA.53 > XX.XX.XX.XX.51397: [|domain]
18:26:56.629648 IP (tos 0x0, ttl 63, id 36456, offset 0, flags [none],
proto ICMP (1), length 56)
10.1.0.3 > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 65254
unreachable, length 36
IP (tos 0x88, ttl 62, id 13875, offset 0, flags [none], proto
UDP (17), length 137)
CC.CC.CC.CC.53 > YY.YY.YY.YY.65254: [|domain]
18:27:27.746093 IP (tos 0x0, ttl 63, id 38864, offset 0, flags [none],
proto ICMP (1), length 56)
10.1.0.3 > BB.BB.BB.BB: ICMP XX.XX.XX.XX udp port 62079
unreachable, length 36
IP (tos 0x0, ttl 61, id 429, offset 0, flags [none], proto UDP
(17), length 150)
BB.BB.BB.BB.53 > XX.XX.XX.XX.62079: [|domain]
18:27:27.746104 IP (tos 0x0, ttl 63, id 38865, offset 0, flags [none],
proto ICMP (1), length 56)
10.1.0.3 > BB.BB.BB.BB: ICMP XX.XX.XX.XX udp port 51628
unreachable, length 36
IP (tos 0x0, ttl 61, id 428, offset 0, flags [none], proto UDP
(17), length 150)
BB.BB.BB.BB.53 > XX.XX.XX.XX.51628: [|domain]
18:29:19.805568 IP (tos 0x0, ttl 63, id 42754, offset 0, flags [none],
proto ICMP (1), length 56)
10.1.0.3 > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 52016
unreachable, length 36
IP (tos 0x88, ttl 62, id 13974, offset 0, flags [none], proto
UDP (17), length 151)
CC.CC.CC.CC.53 > YY.YY.YY.YY.52016: [|domain]
After:
# date ; tcpdump -vni em1 'vlan and src net 10.0.0.0/8' ; date
Sat May 21 18:40:08 MSK 2016
tcpdump: WARNING: em1: no IPv4 address assigned
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size
65535 bytes
^C
0 packets captured
80373 packets received by filter
0 packets dropped by kernel
Sat May 21 18:54:53 MSK 2016
# tcpdump -vni em1 'vlan and icmp[icmptype] = icmp-unreach'
tcpdump: WARNING: em1: no IPv4 address assigned
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size
65535 bytes
19:11:39.539336 IP (tos 0x0, ttl 63, id 46008, offset 0, flags [none],
proto ICMP (1), length 56)
YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 51264
unreachable, length 36
IP (tos 0x88, ttl 62, id 15144, offset 0, flags [none], proto
UDP (17), length 463)
BB.BB.BB.BB.53 > YY.YY.YY.YY.51264: [|domain]
19:11:40.063673 IP (tos 0x0, ttl 63, id 46031, offset 0, flags [none],
proto ICMP (1), length 56)
YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 54326
unreachable, length 36
IP (tos 0x88, ttl 62, id 15145, offset 0, flags [none], proto
UDP (17), length 463)
BB.BB.BB.BB.53 > YY.YY.YY.YY.54326: [|domain]
19:12:13.830491 IP (tos 0x0, ttl 63, id 47980, offset 0, flags [none],
proto ICMP (1), length 56)
XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 50234
unreachable, length 36
IP (tos 0x0, ttl 61, id 14958, offset 0, flags [none], proto
UDP (17), length 152)
AA.AA.AA.AA.53 > XX.XX.XX.XX.50234: [|domain]
19:12:13.830502 IP (tos 0x0, ttl 63, id 47981, offset 0, flags [none],
proto ICMP (1), length 56)
XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 56144
unreachable, length 36
IP (tos 0x0, ttl 61, id 14959, offset 0, flags [none], proto
UDP (17), length 141)
AA.AA.AA.AA.53 > XX.XX.XX.XX.56144: [|domain]
19:12:13.830512 IP (tos 0x0, ttl 63, id 47982, offset 0, flags [none],
proto ICMP (1), length 56)
XX.XX.XX.XX > AA.AA.AA.AA: ICMP XX.XX.XX.XX udp port 51648
unreachable, length 36
IP (tos 0x0, ttl 61, id 14960, offset 0, flags [none], proto
UDP (17), length 152)
AA.AA.AA.AA.53 > XX.XX.XX.XX.51648: [|domain]
19:13:01.643129 IP (tos 0x0, ttl 63, id 50328, offset 0, flags [none],
proto ICMP (1), length 56)
YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 57306
unreachable, length 36
IP (tos 0x88, ttl 62, id 15226, offset 0, flags [none], proto
UDP (17), length 152)
CC.CC.CC.CC.53 > YY.YY.YY.YY.57306: [|domain]
19:13:31.672915 IP (tos 0x0, ttl 63, id 51139, offset 0, flags [none],
proto ICMP (1), length 56)
YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 60908
unreachable, length 36
IP (tos 0x88, ttl 62, id 15253, offset 0, flags [none], proto
UDP (17), length 154)
CC.CC.CC.CC.53 > YY.YY.YY.YY.60908: [|domain]
19:13:32.115936 IP (tos 0x0, ttl 63, id 51186, offset 0, flags [none],
proto ICMP (1), length 56)
YY.YY.YY.YY > CC.CC.CC.CC: ICMP YY.YY.YY.YY udp port 54767
unreachable, length 36
IP (tos 0x88, ttl 62, id 15254, offset 0, flags [none], proto
UDP (17), length 154)
CC.CC.CC.CC.53 > YY.YY.YY.YY.54767: [|domain]
19:13:32.995098 IP (tos 0x0, ttl 63, id 51209, offset 0, flags [none],
proto ICMP (1), length 56)
YY.YY.YY.YY > BB.BB.BB.BB: ICMP YY.YY.YY.YY udp port 58573
unreachable, length 36
IP (tos 0x88, ttl 62, id 15258, offset 0, flags [none], proto
UDP (17), length 149)
BB.BB.BB.BB.53 > YY.YY.YY.YY.58573: [|domain]
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
