Re: Need stateless NAT

Ryan McBride Wed, 09 Apr 2008 06:18:10 -0700

On Wed, Apr 09, 2008 at 05:36:57PM +0900, Ryan McBride wrote:
> You're right, it should be relatively easy to give binat a 'no state'
> option...


Try the attached diff, eg:

binat on egress from 192.168.100.1 to any -> 10.99.99.99 no state

Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.567
diff -u -r1.567 pf.c
--- sys/net/pf.c        20 Feb 2008 23:40:13 -0000      1.567
+++ sys/net/pf.c        9 Apr 2008 11:41:02 -0000
@@ -3321,7 +3321,8 @@
                return (PF_DROP);
        }
 
-       if (!state_icmp && (r->keep_state || nr != NULL ||
+       if (!state_icmp && (r->keep_state ||
+           (nr != NULL && nr->keep_state) ||
            (pd->flags & PFDESC_TCP_NORM))) {
                /* create new state */
                struct pf_state *s = NULL;
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.536
diff -u -r1.536 parse.y
--- sbin/pfctl/parse.y  1 Feb 2008 06:58:45 -0000       1.536
+++ sbin/pfctl/parse.y  9 Apr 2008 11:41:02 -0000
@@ -439,7 +439,7 @@
 %type  <v.number>              number icmptype icmp6type uid gid
 %type  <v.number>              tos not yesno
 %type  <v.probability>         probability
-%type  <v.i>                   no dir af fragcache optimizer
+%type  <v.i>                   no dir af fragcache optimizer binatkeep
 %type  <v.i>                   sourcetrack flush unaryop statelock
 %type  <v.b>                   action nataction natpasslog scrubaction
 %type  <v.b>                   flags flag blockspec
@@ -3741,6 +3741,7 @@
                        memset(&r, 0, sizeof(r));
 
                        r.action = $1.b1;
+                       r.keep_state = 1;
                        r.natpass = $1.b2;
                        r.log = $1.w;
                        r.logif = $1.w2;
@@ -3889,8 +3890,12 @@
                }
                ;
 
+binatkeep      : /* empty */   { $$ = 1; }
+               | NO STATE      { $$ = 0; }
+               ;       
+
 binatrule      : no BINAT natpasslog interface af proto FROM host TO ipspec tag
-                   tagged rtable redirection
+                   tagged rtable redirection binatkeep
                {
                        struct pf_rule          binat;
                        struct pf_pooladdr      *pa;
@@ -3915,6 +3920,7 @@
                        binat.log = $3.b2;
                        binat.logif = $3.w2;
                        binat.af = $5;
+                       binat.keep_state = $15;
                        if (!binat.af && $8 != NULL && $8->af)
                                binat.af = $8->af;
                        if (!binat.af && $10 != NULL && $10->af)
Index: sbin/pfctl/pfctl_parser.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.235
diff -u -r1.235 pfctl_parser.c
--- sbin/pfctl/pfctl_parser.c   15 Oct 2007 02:16:35 -0000      1.235
+++ sbin/pfctl/pfctl_parser.c   9 Apr 2008 11:41:02 -0000
@@ -986,6 +986,8 @@
                printf(" -> ");
                print_pool(&r->rpool, r->rpool.proxy_port[0],
                    r->rpool.proxy_port[1], r->af, r->action);
+               if (!r->keep_state && r->action == PF_BINAT)
+                       printf(" no state");
        }
 }

Re: Need stateless NAT

Reply via email to