pf DIOCNATLOOK on redirected gre packets

Mon, 28 Aug 2006 14:17:11 -0700 

Hi All,

I'm in the process of writing a pptp proxy for PF and
am a fair way through it.

I'm redirecting GRE packets from PF to the proxy using:
   rdr on $wan proto gre from $lan:network to \
           any -> 127.0.0.1

GRE packets are hitting my proxy at 127.0.0.1, but I'm
unable to interrogate PF for the original destination IP
of the GRE packets.  The ioctl(DIOCNATLOOK) call always
fails with "invalid argument".

But a state entry *is* being created as "pfctl -s state"
is showing the correct state entry.

I'm using OBSD 3.9.  I've stripped out the problem code
into two files client.c and server.c (proxy) to
   http://rajasuperman.googlepages.com/client.c
   http://rajasuperman.googlepages.com/server.c

server.c is run on the firewall, and client.c sends a
test GRE packet.

Here is the problem code from server.c:

int
server_lookup_gre(struct sockaddr *client, struct sockaddr *myself,
   struct sockaddr *server)
{
       struct pfioc_natlook pnl;
       struct sockaddr_in *src, *me, *dst;

       if (client->sa_family != AF_INET) {
               errno = EPROTONOSUPPORT;
               return -1;
       }

       src = (struct sockaddr_in *) client;
       me  = (struct sockaddr_in *) myself;
       dst = (struct sockaddr_in *) server;

       memset(&pnl, 0, sizeof pnl);
       pnl.direction = PF_INOUT;
       pnl.af = AF_INET;
       pnl.proto = IPPROTO_GRE;
       memcpy(&pnl.saddr.v4, &src->sin_addr.s_addr, sizeof pnl.saddr.v4);
       memcpy(&pnl.daddr.v4, &me->sin_addr.s_addr, sizeof pnl.daddr.v4);
       pnl.sport = src->sin_port;
       pnl.dport = me->sin_port;

       /* XXX: GRR!  ioctl *always* bombs.  Why? */
       if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
               return (-1);

       memset(dst, 0, sizeof(struct sockaddr_in));
       dst->sin_len = sizeof(struct sockaddr_in);
       dst->sin_family = AF_INET;
       memcpy(&dst->sin_addr.s_addr, &pnl.rdaddr.v4,
           sizeof dst->sin_addr.s_addr);

       return (0);
}

client: 10.0.0.11
server: 10.0.0.1

[EMAIL PROTECTED]:/tmp$ sudo ./client 64.233.187.99
Message >ABCDE< sent to 64.233.187.99

[EMAIL PROTECTED]:~/src$ ./server 127.0.0.1
listening on 127.0.0.1
25 bytes read from 10.0.0.11 >ABCDE<
server: server_lookup_gre failed

[EMAIL PROTECTED]:~/src$ sudo pfctl -s state | grep gre
all gre 127.0.0.1 <- 64.233.187.99 <- 10.0.0.11       NO_TRAFFIC:SINGLE

Thanks for any help!

- Raja

PS: pf@ is still not accessible from @gmail.com.  Are others
able to post?

Reply via email to