On Tue, 29 Aug 2006, Raja Subramanian wrote:
> Hi All,
>
> I'm in the process of writing a pptp proxy for PF and
> am a fair way through it.
>
> I'm redirecting GRE packets from PF to the proxy using:
> rdr on $wan proto gre from $lan:network to \
> any -> 127.0.0.1
>
> GRE packets are hitting my proxy at 127.0.0.1, but I'm
> unable to interrogate PF for the original destination IP
> of the GRE packets. The ioctl(DIOCNATLOOK) call always
> fails with "invalid argument".
It looks like you are hitting this code in pf_ioctl.c:
> if (!pnl->proto ||
> PF_AZERO(&pnl->saddr, pnl->af) ||
> PF_AZERO(&pnl->daddr, pnl->af) ||
> !pnl->dport || !pnl->sport)
> error = EINVAL;
> else {
Maybe this test should be:
if (!pnl->proto ||
PF_AZERO(&pnl->saddr, pnl->af) ||
PF_AZERO(&pnl->daddr, pnl->af) ||
((pnl->proto == IPPROTO_TCP ||
pnl->proto == IPPROTO_UDP) &&
(!pnl->dport || !pnl->sport))
error = EINVAL;
to ignore the port numbers for non-TCP/UDP.
A (more complicated) alternative would be to teach pf to pull out
either the GRE "key" (rfc2980) and/or eGRE "call id" (rfc2637) fields
and stuff them into the space used by the port numbers. IIRC both are
uint32, so they should fit. This will give the added benefit of
making pf able to properly NAT multiple GRE sessions through the same
gateway.
-d
