pf and UDP source port 500

App & System Services Networking
axeldevforums OP
Created Nov ’15
Replies 2
Boosts 0
Views 224
Participants 2

Hello,


While troubleshooting racoon's behavior with multiple clients behind a same NAT gateway, I was experimenting with pf's nat capabilities.

Upon that occasion, I noticed that UDP source port 500 is never translated by pf.


Looking in xnu-2782.40.9, I found this one at line 3235 of bsd/net/pf.c:


/--- Never float IKE source port ---*/

if (ntohs(sxport->port) == PF_IKE_PORT) {

nxport->port = sxport->port;

return (0);

}


According to the surrounding code, this is the only exception for UDP packets, and it is a hard-coded one.


Is that code ("pf.c") the one in use for compiling the kernel?

If yes, what's the rationale for such an hardcoded exception?


TIA,

Axel

Replies  2
Boosts  0
Views  224
Participants  2
NotMyName OP
Nov ’15

As far as I can tell, the reason is RFC 3947 (NAT traversal for IKE) and RFC 2409 (IKE).


It looks like it's a specified exception.

0
axeldevforums OP
Dec ’15

Hmmm... not sure.


RFC3947's purpose is to provide a mechanism for allowing IKE packets to traverse NATs.

pf's role is (amongst others) to nat packets; all packets, including IKE ones.


Axel

0
pf and UDP source port 500
First post date Last post date
 
 
Q