pf(4) action match/overload somehow?

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Harry Schmalzbauer <freebsd_at_omnilan.de>
Date: Sun, 20 Mar 2022 11:56:15 UTC
Hello,

the following real-world proglem urged me to allow UDP connections from 
LAN to any.
STUN is used to establish a fictious UDP connection to the connecting 
peer on a specific port, to drill the state-hole.

Therefore, I have these translation rules added before the general 
(non-"static-port" <- the NAT UDP-traversal key) translation rules
(translation is a first-match-wins):

nat on $INTERLINK_IF4 inet proto tcp from <cml_lansrc-approvedrtc> to 
<wknfriendly_cmlapproved-stun> port { 3478 5349 } -> $WANCMLnat static-port
nat on $INTERLINK_IF4 inet proto udp from <cml_lansrc-approvedrtc> to ! 
($INTERLINK_IF4:0:network) port >= 1024 -> $WANCMLnat static-port


The corresponding filter rules looks like this for my example:

pass in quick on $CML_IF inet proto { tcp udp } from 
<cml_lansrc-approvedrtc> to { <wknfriendly_cmlapproved-stun> 
<wknfriendly_cmlapproved-turn> } port { 3478 5349 } tag INTERLINK-op
pass in quick on $CML_IF inet proto udp from <cml_lansrc-approvedrtc> to 
<wknfriendly_cmlapproved-turn> port >= 49152 tag INTERLINK-op
pass in quick on $CML_IF inet proto udp from <cml_lansrc-approvedrtc> 
port > 1023 to any port >= 1023 tag INTERLINK-op

(actually "any" reads "! <_directnetaddrs-auto>", but it's of no matter 
to this topic and just more confusing in case...)


My problem is, I have to generously add any potential LAN client to 
<cml_lansrc-approvedrtc>, which I'd like to avoid (especially for the 
any-destination rule - last one above).

One way to avoid this was if I could use something like a "match" action 
in combination with what state option "overload" provides:
Do something on rule hit - filling table in this case, which could look 
like this:

\<Non-existing rule syntax\>
match in record-srcip on $IF inet proto { tcp udp } from $IF to 
<wknfriendly_cmlapproved-stun> port  3478 table <cml_lansrc-approvedrtc>
\</Non-existing rule syntax\>

This way, the permission to connect with global IP (and orginating 
src-port) to any UDP destination is only allowed for clients, which have 
previously talked to one of our well known and approved STUN servers.

Any idea if there's already something in pf(4) which could provide a 
similar solution?
"overload" only is available for |max-src-conn and |||max-src-conn-rate, 
which in turn is for TCP only.||

||
||

||Thanks,||

||-harry
||