Page MenuHomeFreeBSD
Differential D31504

pf: always log nat rule and do it pre-rewrite
ClosedPublic
Actions

Authored by franco_opnsense.org on Aug 11 2021, 8:24 AM.
Tags
None
Referenced Files
F102822665: D31504.id95148.diff
Sun, Nov 17, 3:46 PM
F102817302: D31504.diff
Sun, Nov 17, 2:00 PM
Unknown Object (File)
Thu, Nov 14, 12:50 PM
Unknown Object (File)
Sat, Oct 19, 11:39 AM
Unknown Object (File)
Sat, Oct 19, 9:56 AM
Unknown Object (File)
Oct 4 2024, 6:27 PM
Unknown Object (File)
Oct 2 2024, 6:05 AM
Unknown Object (File)
Oct 1 2024, 4:59 PM
View All 83 Files
Subscribers
farrokhi
imp
melifaro
Contributor Reviews (src)

Details

Reviewers
kp
Commits
rG8e496ea1df1f: pf: always log nat rule and do it pre-rewrite
Summary

PR: https://github.com/opnsense/core/issues/5005

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

franco_opnsense.org created this revision.Aug 11 2021, 8:24 AM
Herald added subscribers: Contributor Reviews (src), melifaro, farrokhi, imp. · View Herald TranscriptAug 11 2021, 8:24 AM
franco_opnsense.org requested review of this revision.Aug 11 2021, 8:24 AM
Harbormaster completed remote builds in B40985: Diff 93530.Aug 11 2021, 8:24 AM
franco_opnsense.org added a reviewer: kp.Aug 11 2021, 8:26 AM
kp added a comment.Aug 13 2021, 1:23 PM

Thanks for posting this here.

I've not lost track of this patch, but I've yet to find the time to dig into it in detail. It's still very much on my todo list.

kp added inline comments.Sep 7 2021, 8:06 PM
sys/netpfil/pf/pf.c
3635

Why are we adding a match count here? Do we want to count each NAT-ed packet twice in the match counter?

franco_opnsense.org added inline comments.Sep 8 2021, 1:00 PM
sys/netpfil/pf/pf.c
3635

Well, it's needed in the "rdr pass" case at least. I see your point about double-accounting. The code was copied to retain integrity, though REASON_SET is a strange macro with an intended side effect not making this easy. Let me try to propose a different approach.

franco_opnsense.org added a comment.Sep 8 2021, 1:03 PM

But to be fair both rules are matching accounting-wise unless we assume that only "pass" can account for "match".

franco_opnsense.org updated this revision to Diff 95148.Sep 14 2021, 12:04 PM

void REASON_SET by directly passing PFRES_MATCH

Harbormaster completed remote builds in B41510: Diff 95148.Sep 14 2021, 12:04 PM
franco_opnsense.org marked an inline comment as done.Sep 14 2021, 12:05 PM

Not sure about omitting the match on a NAT rule, but doing it inside the log code was definitely wrong.

kp added a comment.Sep 16 2021, 12:15 PM

(Not forgotten to this, but busy with eurobsd for the next few days)

This revision was not accepted when it landed; it landed in state Needs Review.Sep 18 2021, 1:51 PM
Closed by commit rG8e496ea1df1f: pf: always log nat rule and do it pre-rewrite (authored by franco_opnsense.org, committed by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG8e496ea1df1f: pf: always log nat rule and do it pre-rewrite.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
9 lines

Diff 95340

View Options

sys/netpfil/pf/pf.c

Loading...