Bug 237477 - kernel option PF_DEFAULT_TO_DROP breaks rdr rules with pass keyword.
Summary: kernel option PF_DEFAULT_TO_DROP breaks rdr rules with pass keyword.
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.0-RELEASE
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-net (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-22 21:20 UTC by mickey242
Modified: 2019-05-25 10:17 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mickey242 2019-04-22 21:20:21 UTC
Using a custom kernel built with

options PF_DEFAULT_TO_DROP

seems to prevent rdr rules that have an explicit pass keyword specified from functioning as intended. i.e.

rdr pass log on $int_if inet proto tcp to port 4242 -> 127.0.0.1 port 4242

This rule should redirect and pass tcp traffic arriving on the internal interface and destined for port 4242 to 127.0.0.1 port 4242. The log shows that the rule is matched and applied, but the traffic never makes it to it's intended destination. Using a kernel built without the option PF_DEFAULT_TO_DROP the rule works as intended and passes the traffic through.
Comment 1 Kristof Provost freebsd_committer 2019-05-25 10:17:45 UTC
I think I see what's going on there.
PF_DEFAULT_TO_DROP sets V_pf_default_rule.action = PF_DROP;

A 'rdr pass' sets the 'natpass' flag on a rule (I think, not 100% sure), which causes us to do:
if (nr->natpass)
    r = NULL;

in pf_test_rule().
That's intended to just select the default rule, which usually passes traffic. With 'PF_DEFAULT_TO_DROP' that doesn't work as expected.

Note that I'm not picking this bug up right now. It's on my todo list with many dozens of others. I make no promises about when I'll come back to this.