Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Jul 2011 09:32:43 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r223836 - stable/8/sys/netgraph
Message-ID:  <201107070932.p679Wh2G055706@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ae
Date: Thu Jul  7 09:32:43 2011
New Revision: 223836
URL: http://svn.freebsd.org/changeset/base/223836

Log:
  MFC r222808:
    Sync ng_nat with recent (r222806) ipfw_nat changes:
  
      Make a behaviour of the libalias based in-kernel NAT a bit closer to
      how natd(8) does work. natd(8) drops packets only when libalias returns
      PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
      always did drop packets that were not aliased, even if they should
      not be aliased and just are going through.
  
    Also add SCTP support: mark response packets to skip firewall processing.

Modified:
  stable/8/sys/netgraph/ng_nat.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/netgraph/ng_nat.c
==============================================================================
--- stable/8/sys/netgraph/ng_nat.c	Thu Jul  7 09:29:11 2011	(r223835)
+++ stable/8/sys/netgraph/ng_nat.c	Thu Jul  7 09:32:43 2011	(r223836)
@@ -43,6 +43,7 @@
 #include <machine/in_cksum.h>
 
 #include <netinet/libalias/alias.h>
+#include <netinet/libalias/alias_local.h>
 
 #include <netgraph/ng_message.h>
 #include <netgraph/ng_parse.h>
@@ -703,22 +704,35 @@ ng_nat_rcvdata(hook_p hook, item_p item 
 	KASSERT(m->m_pkthdr.len == ntohs(ip->ip_len),
 	    ("ng_nat: ip_len != m_pkthdr.len"));
 
+	/*
+	 * We drop packet when:
+	 * 1. libalias returns PKT_ALIAS_ERROR;
+	 * 2. For incoming packets:
+	 *	a) for unresolved fragments;
+	 *	b) libalias returns PKT_ALIAS_IGNORED and
+	 *		PKT_ALIAS_DENY_INCOMING flag is set.
+	 */
 	if (hook == priv->in) {
 		rval = LibAliasIn(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
-		if (rval != PKT_ALIAS_OK &&
-		    rval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+		if (rval == PKT_ALIAS_ERROR ||
+		    rval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+		    (rval == PKT_ALIAS_IGNORED &&
+		     (priv->lib->packetAliasMode &
+		      PKT_ALIAS_DENY_INCOMING) != 0)) {
 			NG_FREE_ITEM(item);
 			return (EINVAL);
 		}
 	} else if (hook == priv->out) {
 		rval = LibAliasOut(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
-		if (rval != PKT_ALIAS_OK) {
+		if (rval == PKT_ALIAS_ERROR) {
 			NG_FREE_ITEM(item);
 			return (EINVAL);
 		}
 	} else
 		panic("ng_nat: unknown hook!\n");
 
+	if (rval == PKT_ALIAS_RESPOND)
+		m->m_flags |= M_SKIP_FIREWALL;
 	m->m_pkthdr.len = m->m_len = ntohs(ip->ip_len);
 
 	if ((ip->ip_off & htons(IP_OFFMASK)) == 0 &&

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107070932.p679Wh2G055706>