On Mon, Nov 21, 2016 at 07:11:23PM +0100, Mike Belopuhov wrote:
> On Mon, Nov 14, 2016 at 16:38 +0100, Alexander Bluhm wrote:
> > Hi,
> >
> > The !r->rt case is only used by af-to. pf_route6() calls ip6_output()
> > to do the work while pf_route() has some custom implementation for
> > that. It is simpler to call ip_output() or ip6_output() from
> > pf_test() directly.
> >
> > ok?
> >
> > bluhm
> >
> > Index: net/pf.c
> > ===================================================================
> > RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
> > retrieving revision 1.998
> > diff -u -p -r1.998 pf.c
> > --- net/pf.c 14 Nov 2016 13:25:00 -0000 1.998
> > +++ net/pf.c 14 Nov 2016 14:08:57 -0000
> > @@ -6908,10 +6884,28 @@ done:
> > action = PF_DROP;
> > break;
> > }
> > - if (pd.naf == AF_INET)
> > - pf_route(&pd, r, s);
> > - if (pd.naf == AF_INET6)
> > - pf_route6(&pd, r, s);
> > + if (r->rt) {
> > + switch (pd.naf) {
> > + case AF_INET:
> > + pf_route(&pd, r, s);
> > + break;
> > + case AF_INET6:
> > + pf_route6(&pd, r, s);
> > + break;
> > + }
> > + }
>
> Is the r->rt check there to catch additional dup-to/route-to actions
> hooked on to the af-to rule? Does it actually work?
I don't have my test bed ready to play with NAT-64 + PBR. The only think
I've
tried is the parser and it seems to me NAT-64 + PBR is problematic:
echo 'pass in on net1 inet af-to inet6 from 2001:db8::1 to
2001:db8::/96 route-to 2001:db8::1@net0' | pfctl -n -f -
stdin:1: af mismatch in routing spec
stdin:1: skipping rule due to errors
stdin:1: rule expands to no valid combination
parser does not allow me to use IPv6 address as a next hop. As soon as I
remove
next-hop, the parser accepts the rule:
echo 'pass in on net1 inet af-to inet6 from 2001:db8::1 to
2001:db8::/96 route-to net0' | pfctl -n -f -
The bluhm's change should not alter behavior of older code.
regards
sasha
