pf: Make af-to work on outbound interface

Currently af-to works only on inbound interface by creating a reversed
NAT state key which is used to match traffic returning on the outbound
interface.

Su

pf: Make af-to work on outbound interface

Currently af-to works only on inbound interface by creating a reversed
NAT state key which is used to match traffic returning on the outbound
interface.

Such limitation is not necessary. When an af-to state is created
for an outbound rule do not reverse the NAT state key, making it work
just like if it was created for a normal NAT rule. Depending on firewall
design it might be easier and more natural to use af-to on the outbound
interface.

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D49122

show more ...

pf: cope with IPv6 gateways for an IPv4 route in nat64

It's possible for an IPv4 next hop to be specified as an IPv6 address. This
broke pf's route lookup in pf_route(), which is required for nat64.

pf: cope with IPv6 gateways for an IPv4 route in nat64

It's possible for an IPv4 next hop to be specified as an IPv6 address. This
broke pf's route lookup in pf_route(), which is required for nat64.

Handle this case just like ip_tryforward(): use the struct sockaddr from the
struct nhop_object, and mark a struct route to indicate if_output() has to use
the gateway.

Add a test case for this.

PR: 284946
Reviewed by: zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D49095

show more ...

pf tests: remove stray debug log line

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: support source-hash and random with tables and dynifs, not just pools

This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-ro

pf: support source-hash and random with tables and dynifs, not just pools

This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.

An older pre-siphash version of this diff was tested by many people.

OK tedu@ benno@

Obtained from: OpenBSD, reyk <reyk@openbsd.org>, 252a05523f
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: make reply-to work with nat64

Just like route-to reply-to is problematic when used in combination with nat64.

In the normal (i.e. without nat64) flow we return immediately from pf_route().
Howe

pf: make reply-to work with nat64

Just like route-to reply-to is problematic when used in combination with nat64.

In the normal (i.e. without nat64) flow we return immediately from pf_route().
However, with nat64 we need to continue and do a route lookup. In that case
we should not make the extra pf_test(PF_OUT) call to remain similar to the
non-nat64 flow.

We also have to fix the interface binding. We can only bind to the interface
after we've done the route lookup, not before.

Add a funcional test case, and a test for pfctl's rule printing.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: cope with route-to on af-to rules

af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with th

pf: cope with route-to on af-to rules

af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with this and add test cases.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: fix IPv6 route lookup for nat64

The route lookup in pf_route6() (for the nat64 case) had the src/dst for bcopy()
swapped around, so any nat64 setup that passed via a gateway on the IPv6 side
was

pf: fix IPv6 route lookup for nat64

The route lookup in pf_route6() (for the nat64 case) had the src/dst for bcopy()
swapped around, so any nat64 setup that passed via a gateway on the IPv6 side
was broken.

Fix this, add 'const' to make this error actually fail to compile and add a
test case.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf tests: test dummynet on nat64 rules

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: test using an address range inside a table for nat64

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: test address range as nat64 from address

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: do not allow af-to tables without round-robin

Tables can only be used as a redirspec (i.e. in pf_map_addr()) in round-robin mode.
Enforce this for af-to tables as well.

Add a test case to ve

pfctl: do not allow af-to tables without round-robin

Tables can only be used as a redirspec (i.e. in pf_map_addr()) in round-robin mode.
Enforce this for af-to tables as well.

Add a test case to verify.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: fix nat64 round-robin addresses from a table

We do multiple lookups during the nat64 process, some of which will fail due
to address family mismatches. Do not reset the lookup offset so we actua

pf: fix nat64 round-robin addresses from a table

We do multiple lookups during the nat64 process, some of which will fail due
to address family mismatches. Do not reset the lookup offset so we actually use
different addresses from the table.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf tests: verify pool use for nat64

Verify that if we provide a pool of addresses we use the entire pool.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: test not having an IPv4 address to nat64 to

This isn't expected to work, for obvious reasons, but we also expect to not
panic doing this. Exercise this special case.

Sponsored by: Rubicon

pf tests: test not having an IPv4 address to nat64 to

This isn't expected to work, for obvious reasons, but we also expect to not
panic doing this. Exercise this special case.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf tests: validate ToS translation with nat64

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: check packet reassembly with nat64

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47805

pf: fix if-bound with nat64

Just as with reply-to rules we don't know what interface we will send this out
of until we create the state. Create new nat64 rules as floating, but bind them
to the appr

pf: fix if-bound with nat64

Just as with reply-to rules we don't know what interface we will send this out
of until we create the state. Create new nat64 rules as floating, but bind them
to the appropriate interface on the first pf_route(), when we do know.

Set state policy if-bound for the nat64 tests to validate this.

See also: 6460322a0
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47801

show more ...

pf tests: add an SCTP test case for nat64

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47794

pf tests: add a UDP test case for nat64

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47793

pf tests: add a TCP test case for nat64

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47792

pf tests: basic nat64 test case

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47791