pf: fix 'no rdr'

kprovost · cperciva · commit f138688ea41a · 2025-10-22T13:12:34.000-07:00
Ensure we always have a non-NULL rule pointer (ctx.rm). It might have gotten set to NULL by pf_get_translation(). While here also restore the previous rdr behaviour be re-adding the incorrectly removed 'break' in pf_match_translation_rule. Approved by: re (cperciva) PR: 290177 MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D53191 (cherry picked from commit cb36bfe) (cherry picked from commit 536b075)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
@@ -5939,6 +5939,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
 		ctx.nat_pool = &(ctx.nr->rdr);
 	}
 
+	*ctx.rm = &V_pf_default_rule;
 	if (ctx.nr && ctx.nr->natpass) {
 		r = ctx.nr;
 		ruleset = *ctx.rsm;
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
@@ -216,6 +216,7 @@ pf_match_translation_rule(int rs_num, struct pf_test_ctx *ctx, struct pf_krulese
 				 */
 				ctx->arsm = ctx->aruleset;
 			}
+			break;
 		} else {
 			ctx->a = r;			/* remember anchor */
 			ctx->aruleset = ruleset;	/* and its ruleset */
diff --git a/tests/sys/netpfil/pf/rdr.sh b/tests/sys/netpfil/pf/rdr.sh
@@ -338,11 +338,62 @@ natpass_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "pr290177" "cleanup"
+pr290177_head()
+{
+	atf_set descr 'Test PR290177'
+	atf_set require.user root
+}
+
+pr290177_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+
+	ifconfig ${epair}a 192.0.2.2/24 up
+	ifconfig ${epair}a inet alias 192.0.2.3/24 up
+
+	vnet_mkjail alcatraz ${epair}b
+	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
+	jexec alcatraz ifconfig lo0 127.0.0.1/8 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore \
+	    ping -c 1 192.0.2.1
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+	    "table <white> { 192.0.2.2 }" \
+	    "no rdr inet proto tcp from <white> to any port 25" \
+	    "rdr pass inet proto tcp from any to any port 25 -> 127.0.0.1 port 2500"
+
+	echo foo | jexec alcatraz nc -N -l 2500 &
+	sleep 1
+
+	reply=$(nc -w 3 -s 192.0.2.2 192.0.2.1 25)
+	if [ "${reply}" == "foo" ]
+	then
+		atf_fail "no rdr rule failed"
+	fi
+	reply=$(nc -w 3 -s 192.0.2.3 192.0.2.1 25)
+	if [ "${reply}" != "foo" ]
+	then
+		atf_fail "rdr rule failed"
+	fi
+}
+
+pr290177_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "natpass"
 	atf_add_test_case "tcp_v6_compat"
 	atf_add_test_case "tcp_v6_pass"
 	atf_add_test_case "srcport_compat"
 	atf_add_test_case "srcport_pass"
+	atf_add_test_case "pr290177"
 }

Original file line number	Diff line number	Diff line change
`@@ -5939,6 +5939,7 @@ pf_test_rule(struct pf_krule rm, struct pf_kstate sm,`
`5939`	`5939`	`ctx.nat_pool = &(ctx.nr->rdr);`
`5940`	`5940`	`}`
`5941`	`5941`
	`5942`	`+ *ctx.rm = &V_pf_default_rule;`
`5942`	`5943`	`if (ctx.nr && ctx.nr->natpass) {`
`5943`	`5944`	`r = ctx.nr;`
`5944`	`5945`	`ruleset = *ctx.rsm;`
Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,7 @@ pf_match_translation_rule(int rs_num, struct pf_test_ctx *ctx, struct pf_krulese`
`216`	`216`	`*/`
`217`	`217`	`ctx->arsm = ctx->aruleset;`
`218`	`218`	`}`
	`219`	`+ break;`
`219`	`220`	`} else {`
`220`	`221`	`ctx->a = r; /* remember anchor */`
`221`	`222`	`ctx->aruleset = ruleset; /* and its ruleset */`