NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/52074: -current npf map directive broken

Hi Frank!

On 07/05/2017 22:07, Frank Kardel wrote:
> Hmm, wouldn't this bring us back the bug again? ia == NULL for a
> non-local source addresses (generated via pfil_run_hooks-NAT operation)
> and IP_FORWARDING is not set as tcp_input.c:syn_cache_respond does
> rightfully not set IP_FORWARDING and pfil_run_hooks has no means to set
> that flag. That gives us error == -1 with your sequence.
> So we would return EADDRNOTAVAIL breaking packet filter NAT action
> again, if I didn't overlook something.

Ah yes.
I didn't actually read your initial report .... my bad!
OK, so I don't fully understand the use case for sending packets from an
address we don't have locally. Could you fill me in on this please?

> From what I understand  this code originally attempted to avoid sending
> from invalid/unusable local address (e. g. duplicate IP - error,
> tentative and detached should just be dropped).
> No validation can be done for non-local addresses at all. IP_FORWARDING
> formerly used to be used to suppress infinite recursion on mcast
> forwarding, but it seems the semantics where extended a little bit in
> the mean time (like here to suppress a check).
> So I cannot say something about the intentions for the IP_FORWARDING check.

I *think* the idea was IP_FORWARDING would be set and we could skip
source address validation because the filter may have changed it.
Does NAT not hit that? I ask because I do run NPF+NAT on my erlite
router which uses -current, but my mapping rule uses a local address -
hence asking for your use case about a non local address.

Could NAT set another flag we could check? rmind?


Home | Main Index | Thread Index | Old Index