Hello,
On Mon, Aug 01, 2022 at 06:37:58PM +0200, Hrvoje Popovski wrote:
> On 20.7.2022. 22:27, Alexandr Nedvedicky wrote:
> > Hello,
> >
> > below is a final version of patch for NAT issue discussed at bugs@ [1].
> > Patch below is updated according to feedback I got from Chris, claudio@
> > and hrvoje@.
> >
> > The summary of changes is as follows:
> >
> > - prevent infinite loop when packet hits NAT rule as follows:
> > pass out on em0 from 172.16.0.0/16 to any nat-to { 49/27 }
> > the issue has been introduced by my earlier commit [2]. The earlier
> > change makes pf(4) to interpret 49/27 as single IP address
> > (POOL_NONE)
> > this is wrong, because pool 49/27 actually contains 32 addresses.
> >
> > - while investigating the issue I've realized 'random' pool should
> > rather be using arc4_uniform() with upper limit derived from mask.
> > also the random number should be turned to netorder.
> >
> > - also while I was debugging my change I've noticed we should be using
> > pf_poolmask() to obtain address as a combination of pool address
> > and result of generator (round-robin all random).
> >
> > OK to commit?
> >
> > thanks and
> > regards
> > sashan
> >
> >
> > [1] https://marc.info/?t=165813368200001&r=1&w=2
> > https://marc.info/?t=165732546500001&r=1&w=2
> > https://marc.info/?l=openbsd-bugs&m=165817500514813&w=2
> >
> > [2] https://marc.info/?l=openbsd-cvs&m=164500117319660&w=2
>
>
> Hi all,
>
> I've tested this diff and from what I see NAT behaves as it should and
> it's changing ip addresses quite nicely
>
>
thank you Hrvoje for carrying independent test. I'll commit the diff
later today if there will be no objection.
thanks and
regards
sashan
