Hi,
I'm using the Jan 20 snapshot, although I got similar results using
a snapshot from late October.
I'm trying to use "divert-packet" to grab NAT'd packets, analyze them
in a user-space program, and then put them back into the stack.
Here is my pf.conf (with ext_if and divport defined accordingly):
match in all scrub (no-df reassemble tcp max-mss 1440)
match out all scrub (no-df reassemble tcp)
pass out quick on $ext_if from 192.168.53.0/24 divert-packet port
$divport nat-to ($ext_if)
pass quick on $ext_if inet all divert-packet port $divport
And it works pretty well for _either_ NAT or divert-to. Packets
directly from the machine get intercepted correctly, and machines
on the 192.168.53.0/24 network get access to the external network.
The problem is using them both together. What my divert program sees
when I try to telnet to an external webserver from a NAT'd machine is:
SYN packet from $external_ip:64000 to $web_server:80
and then
SYN/ACK packet from $web_server:80 to 192.168.53.101:60179
pfctl -sa shows this state:
all tcp $external_ip:64000 (192.168.53.101:60179) -> $web_server:80
ESTABLISHED:ESTABLISHED
So it looks like "divert" sees the packet after NAT translation, both
ways, when what I'd want is to either 1. see it before NAT outbound
and after NAT inbound, or 2. preferably, the opposite of both of
those.
I've changed the last two lines of my pf.conf into two separate rules, like
this:
pass in quick on $ext_if divert-packet port $divport
pass out on $ext_if from 192.168.53.0/24 divert-packet port $divport
nat-to ($ext_if)
to try and let divert-packet get to the packets first, but no
dice.
Has anyone else had better luck than me using these two features
together? Is there a way to change the order of divert and NAT
rules?
(I tried this on the internal interface and I think divert happened
_before_ NAT translation. In theory I could try to sniff both the
internal interfaces as well as the external and match them up, but
that seems wrong.)
