Page MenuHomeFreeBSD

pfctl: Add modern NAT syntax
Needs ReviewPublic

Authored by vegeta_tuxpowered.net on Mon, Mar 3, 5:09 PM.
Tags
None
Referenced Files
F111855557: D49221.id151862.diff
Sun, Mar 9, 9:07 AM
Unknown Object (File)
Wed, Mar 5, 12:30 PM
Unknown Object (File)
Wed, Mar 5, 11:41 AM
Unknown Object (File)
Wed, Mar 5, 10:45 AM
Unknown Object (File)
Wed, Mar 5, 8:06 AM
Unknown Object (File)
Wed, Mar 5, 5:40 AM
Unknown Object (File)
Wed, Mar 5, 4:14 AM
Unknown Object (File)
Wed, Mar 5, 1:56 AM

Details

Reviewers
kp
Summary

Now that pfct has separate functions for parsing redirection pools and
ports, we can finally add support for nat-to and rdr-to filter_opts.
NAT and RDR actions are marked by having the respective pools filled in.

Function pf_rule_apply_nat() is responsible for both NAT/RDR and af-to
address translations. It is called both for match rules and the final
pass rule.

Use FreeBSD's original address translation code by splitting it into
pf_translate_compat(). Call this function for old-style NAT ruleset
and for modern NAT rules via pf_rule_apply_nat().

Initialize pfctl_rule's redirection pools on rule allocation, also for
code paths not using expand_rule(), so that they can be safely checked
for being empty in filter_consistent().

Move map-e NAT test to nat.sh for convenience, duplicate critical NAT
tests into _compat (for old-style NAT ruleset) and _pass (for match/
pass) variants.

Features missing:

  • binat-to
  • usage of modern pf_translate()

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

vegeta_tuxpowered.net changed the visibility from "vegeta_tuxpowered.net (Kajetan Staszkiewicz)" to "Public (No Login Required)".

I think we're missing the associated man page updates.

I'm going to revisit this tomorrow, but I've not seen any issues yet.

sbin/pfctl/parse.y
964

Is it worth factoring this out into a pfctl_init_rule() or something?