On 20.7.2022. 22:27, Alexandr Nedvedicky wrote:
> Hello,
>
> below is a final version of patch for NAT issue discussed at bugs@ [1].
> Patch below is updated according to feedback I got from Chris, claudio@
> and hrvoje@.
>
> The summary of changes is as follows:
>
> - prevent infinite loop when packet hits NAT rule as follows:
> pass out on em0 from 172.16.0.0/16 to any nat-to { 49/27 }
> the issue has been introduced by my earlier commit [2]. The earlier
> change makes pf(4) to interpret 49/27 as single IP address (POOL_NONE)
> this is wrong, because pool 49/27 actually contains 32 addresses.
>
> - while investigating the issue I've realized 'random' pool should
> rather be using arc4_uniform() with upper limit derived from mask.
> also the random number should be turned to netorder.
>
> - also while I was debugging my change I've noticed we should be using
> pf_poolmask() to obtain address as a combination of pool address
> and result of generator (round-robin all random).
>
> OK to commit?
>
> thanks and
> regards
> sashan
>
>
> [1] https://marc.info/?t=165813368200001&r=1&w=2
> https://marc.info/?t=165732546500001&r=1&w=2
> https://marc.info/?l=openbsd-bugs&m=165817500514813&w=2
>
> [2] https://marc.info/?l=openbsd-cvs&m=164500117319660&w=2
Hi all,
I've tested this diff and from what I see NAT behaves as it should and
it's changing ip addresses quite nicely
