Date: Sun, 30 Apr 2017 08:11:48 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218968] [patch] [libalias] unbreak translation of transit PPtP/GRE for "nat global" case Message-ID: <bug-218968-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218968 Bug ID: 218968 Summary: [patch] [libalias] unbreak translation of transit PPtP/GRE for "nat global" case Product: Base System Version: 11.0-STABLE Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: eugen@freebsd.org Keywords: patch Created attachment 182189 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=182189&action=edit fix libalias for LibAliasOutTry() case Assume we have several ipfw nat (or natd) instances and utilize "nat global" feature to select alias_address for outgoing packets that already have corresponding state in one of aliasing instances. This standard setup works just fine for ICMP, UDP, TCP and SCTP packes but not for others. For example, outgoing PPtP/GRE packets always get alias_address of latest configured instance no matter whether such packet has corresponding state or not. The bug is in ProtoAliasOut() function that ignores its "create" argument and performs translation regardless of its value. This static function is called only by LibAliasOutLocked() function and only for packers other than ICMP, UDP, TCP and SCTP passing its "create" argument unmodified. For every NAT instance, "ipfw nat global" code calls LibAliasOutTry() with create=0 that leads to LibAliasOutLocked() call and then to ProtoAliasOut() that returns PKT_ALIAS_OK. So, "ipfw nat global" translates non-ICP/UDP/TCP/SCTP packet using last configured instance (first in the chain) and that may be wrong. Attached patch makes ProtoAliasOut() respect its "create" argument and stop translation in case of create == 0 with return of PKT_ALIAS_IGNORED. We have only two consumers of LibAliasOutLocked() in the source tree calling it with create != 1: mentioned "ipfw nat global" code and similar natd code having same problem. The patch fixes it too. All other consumers of LibAliasOutLocked() call it with create = 1 and patch is "no-op" for such case. For example, the patch unbreaks translation of outgoing transit PPtP/GRE connections for described configuration. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-218968-8>