Change Details

It only makes sense that nat rules change source address post-routing and rdr rules change destination address pre-routing. Old-style nat rules don't include direction in rule definition and the resulting action is applied to packets only in direction following those guidelines. New-style address translation is done by nat-to and rdr-to actions on normal match and pass rules. Those rules, when used without address translation, can be specified without direction. But that allows users to specify pre-routing nat and post-routing rdr. This case is not handled properly and causes pre-routing nat to modify destination address, as if it was a rdr rule, and post-routing rdr to modify source address, as if it was a nat rule. Ensure that nat-to action modifies source address and rdr-to destination address no matter in which direction the rule is applied for the sake of code correctness and prevent users from loading such rules, because they would not work in most scenarios anyway (e.g. pre-routing nat-to to outbound interface address would translate properly but packets flowing in the opposite direction would never be forwarded back due to routing configuration). PR: 288577 MFC after: 3 days Sponsored by: InnoGames GmbH

New-style address translation is done by nat-to and rdr-to actions on normal match and pass rules. Those rules, when used without address translation, can be specified without direction. But that allows users to specify pre-routing nat and post-routing rdr. This case is not handled properly and causes pre-routing nat to modify destination address, as if it was a rdr rule, and post-routing rdr to modify source address, as if it was a nat rule. Ensure that nat-to action modifies source address and rdr-to destination address no matter in which direction the rule is applied. The man page for pf.conf already specifies that nat-to and rdr-to rules should be limited to respective directions.

It only makes sense that nat rules change source address post-routing and rdr rules change destination address pre-routing. Old-style nat rules don't include direction in rule definition and the resulting action is applied to packets only in direction following those guidelines. New-style address translation is done by nat-to and rdr-to actions on normal match and pass rules. Those rules, when used without address translation, can be specified without direction. But that allows users to specify pre-routing nat and post-routing rdr. This case is not handled properly and causes pre-routing nat to modify destination address, as if it was a rdr rule, and post-routing rdr to modify source address, as if it was a nat rule. Ensure that nat-to action modifies source address and rdr-to destination address no matter in which direction the rule is applied for the sake of. The man page code correctness and prevent users from loading suchfor pf.conf already specifies that nat-to and rdr-to rules, because they should be would not work in most scenarios anyway (e.g. pre-routing nat-to to outbound interface address would translate properly but packets flowing in the opposite direction would never be forwarded back due to routing configuration). PR: 288577 MFC after: 3 days Sponsored by: InnoGames GmbHlimited to respective directions.