BSD Commit Log Search

pfctl: Split pool parsing into separate functions

The pf pools are used in NAT, route-to and af-to rules. Some parts of
code are duplicated between them. Create functions apply_redirspec(),
apply_nat_ports() and apply_rdr_ports() to handle the common tasks.

Simplify data structures used for pool parsing. Move the contents of
struct redirection to struct redirspec. Map all ways of parsing pools
directly onto struct redirspec. Name various forms of struct redirspect
to hint where they are used.

Remove struct redirspec *rroute from struct filter_opts, because
filter_opts is bzero()'ed after the route part of rule is parsed, and
thus can't be used.

Add tests to ensure that parsing and error messages behave as expected.
The tests have been written and tested with pfctl from before this
patch.


    [6 lines not shown]

pf: make reply-to work with nat64

Just like route-to reply-to is problematic when used in combination with nat64.

In the normal (i.e. without nat64) flow we return immediately from pf_route().
However, with nat64 we need to continue and do a route lookup. In that case
we should not make the extra pf_test(PF_OUT) call to remain similar to the
non-nat64 flow.

We also have to fix the interface binding. We can only bind to the interface
after we've done the route lookup, not before.

Add a funcional test case, and a test for pfctl's rule printing.

Sponsored by:   Rubicon Communications, LLC ("Netgate")