Date: Thu, 7 Jul 2011 09:42:32 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r223837 - stable/7/sys/netinet Message-ID: <201107070942.p679gWmQ056067@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Jul 7 09:42:32 2011 New Revision: 223837 URL: http://svn.freebsd.org/changeset/base/223837 Log: MFC r222806: Make a behaviour of the libalias based in-kernel NAT a bit closer to how natd(8) does work. natd(8) drops packets only when libalias returns PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat always did drop packets that were not aliased, even if they should not be aliased and just are going through. PR: kern/122109, kern/129093, kern/157379 Submitted by: Alexander V. Chernikov (previous version) Modified: stable/7/sys/netinet/ip_fw_nat.c Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) Modified: stable/7/sys/netinet/ip_fw_nat.c ============================================================================== --- stable/7/sys/netinet/ip_fw_nat.c Thu Jul 7 09:32:43 2011 (r223836) +++ stable/7/sys/netinet/ip_fw_nat.c Thu Jul 7 09:42:32 2011 (r223837) @@ -322,8 +322,18 @@ ipfw_nat(struct ip_fw_args *args, struct else retval = LibAliasOut(t->lib, c, mcl->m_len + M_TRAILINGSPACE(mcl)); - if (retval != PKT_ALIAS_OK && - retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) { + /* + * We drop packet when: + * 1. libalias returns PKT_ALIAS_ERROR; + * 2. For incoming packets: + * a) for unresolved fragments; + * b) libalias returns PKT_ALIAS_IGNORED and + * PKT_ALIAS_DENY_INCOMING flag is set. + */ + if (retval == PKT_ALIAS_ERROR || + (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT || + (retval == PKT_ALIAS_IGNORED && + (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) { /* XXX - should i add some logging? */ m_free(mcl); badnat:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107070942.p679gWmQ056067>