* NATCompiler_pf.cpp (VerifyRules::processNext): see #1401. Because

of the change in the nat and rdr rules syntax in 4.7, I can no longer implement no-nat rules correctly for this version. They dropped the "no" keyword and their examples suggest using "pass" to implement exclusions for the nat rules. I need no-nat rule to just not translate but not make a decision whether the packet should be passed or dropped. In the new PF model, translation rules are just options on the matching policy rules and they do not offer any keyword or option to not translate.
2026-03-25 12:47:44 +01:00 · 2010-04-23 04:38:51 +00:00 · 2010-04-23 04:38:51 +00:00 · 433b8332a7
commit 433b8332a7
parent fdb388659d
3 changed files with 35 additions and 3 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 2826
+#define BUILD_NUM 2827
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,15 @@
 2010-04-22  vadim  <vadim@vk.crocodile.org>

+	* NATCompiler_pf.cpp (VerifyRules::processNext): see #1401. Because
+	of the change in the nat and rdr rules syntax in 4.7, I can no
+	longer implement no-nat rules correctly for this version. They
+	dropped the "no" keyword and their examples suggest using "pass"
+	to implement exclusions for the nat rules. I need no-nat rule to
+	just not translate but not make a decision whether the packet
+	should be passed or dropped. In the new PF model, translation
+	rules are just options on the matching policy rules and they do
+	not offer any keyword or option to not translate.
+
 	* NATCompiler_pf_writers.cpp (PrintRule::processNext): fixes #1401
 	nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in
 	4.7 should be implemented using action "match" and keywords
--- a/src/pflib/NATCompiler_pf.cpp
+++ b/src/pflib/NATCompiler_pf.cpp
@ -155,8 +155,6 @@ bool NATCompiler_pf::NATRuleType::processNext()
        return true;
    }

-
-
    if (tsrc->isAny() && tdst->isAny() && 
        (tsrv->isAny() || (tsrv->getId() == osrv->getId()))
    )
@ -344,6 +342,8 @@ bool NATCompiler_pf::VerifyRules::processNext()
 {
    NATRule *rule=getNext(); if (rule==NULL) return false;

+    string version = compiler->fw->getStr("version");
+
    RuleElementOSrc  *osrc=rule->getOSrc();  assert(osrc);
    RuleElementODst  *odst=rule->getODst();  assert(odst);
    RuleElementOSrv  *osrv=rule->getOSrv();  assert(osrv);
@ -352,6 +352,28 @@ bool NATCompiler_pf::VerifyRules::processNext()
    RuleElementTDst  *tdst=rule->getTDst();  assert(tdst);
    RuleElementTSrv  *tsrv=rule->getTSrv();  assert(tsrv);

+    /*
+     * because of the change in the nat and rdr rules syntax in
+     * 4.7, I can no longer implement no-nat rules correctly for
+     * this version. They dropped the "no" keyword and their
+     * examples suggest using "pass" to implement exclusions for
+     * the nat rules. I need no-nat rule to just not translate but
+     * not make a decision whether the packet should be passed or
+     * dropped. In the new PF model, translation rules are just
+     * options on the matching policy rules and they do not offer
+     * any keyword or option to not translate.
+     */
+    if (rule->getRuleType()==NATRule::NONAT &&
+        XMLTools::version_compare(version, "4.7")>=0)
+    {
+        compiler->abort(
+            rule,
+            "No translation rules are not supported for PF 4.7, "
+            "use negation to implement exclusions");
+        return true;
+    }
+
+
    if (rule->getRuleType()==NATRule::DNAT && odst->size()!=1)
    {
 	compiler->abort(