On Mon, Apr 05, 2021 at 09:51:53AM +0300, Hakan SARIMAN wrote:
> Hello Misc,
>
>
> I think divert-packet feature with NAT/NAPT is broken.
>
> I can not reach to web server when I use divert-packet with rdr-to.
>
> Is this a known bug or a new issue?
There's no other options? Just those two?
I think it's been around for a long time, but no one's hurt themselves
with it because they haven't combined nat/rdr with divert-packet
yet.
I believe the diff below will fix the bug. There's some discussion going
on behind the scenes about whether this is the right fix though.
>
> When I use divert-packet + rdr-to here is the situation:
>
>
> # MY PF RULES
>
> pass in log quick on pppoe0 inet proto tcp from any to (pppoe0:0) port 81
> rdr-to 10.10.12.27 port 81
>
> pass out log quick on vport12 inet proto tcp from any to 10.10.12.27 port
> 81 divert-packet port 700
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.1112
diff -u -p -r1.1112 pf.c
--- pf.c 23 Feb 2021 11:43:40 -0000 1.1112
+++ pf.c 5 Apr 2021 10:16:31 -0000
@@ -6848,8 +6848,10 @@ pf_test(sa_family_t af, int fwdir, struc
if ((*m0)->m_pkthdr.pf.flags & PF_TAG_GENERATED)
return (PF_PASS);
- if ((*m0)->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET)
+ if ((*m0)->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET) {
+ CLR((*m0)->m_pkthdr.pf.flags, PF_TAG_DIVERTED_PACKET);
return (PF_PASS);
+ }
if ((*m0)->m_pkthdr.pf.flags & PF_TAG_REFRAGMENTED) {
(*m0)->m_pkthdr.pf.flags &= ~PF_TAG_REFRAGMENTED;
