From owner-freebsd-bugs@freebsd.org Sun Apr 30 08:11:48 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC7C1D562D5 for ; Sun, 30 Apr 2017 08:11:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B2DA41F36 for ; Sun, 30 Apr 2017 08:11:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v3U8Bmjn019912 for ; Sun, 30 Apr 2017 08:11:48 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218968] [patch] [libalias] unbreak translation of transit PPtP/GRE for "nat global" case Date: Sun, 30 Apr 2017 08:11:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: eugen@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status keywords bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2017 08:11:48 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218968 Bug ID: 218968 Summary: [patch] [libalias] unbreak translation of transit PPtP/GRE for "nat global" case Product: Base System Version: 11.0-STABLE Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: eugen@freebsd.org Keywords: patch Created attachment 182189 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D182189&action= =3Dedit fix libalias for LibAliasOutTry() case Assume we have several ipfw nat (or natd) instances and utilize "nat global" feature to select alias_address for outgoing packets that already have corresponding state in one of aliasing instances. This standard setup works just fine for ICMP, UDP, TCP and SCTP packes but not for others. For exampl= e, outgoing PPtP/GRE packets always get alias_address of latest configured instance no matter whether such packet has corresponding state or not. The bug is in ProtoAliasOut() function that ignores its "create" argument a= nd performs translation regardless of its value. This static function is called only by LibAliasOutLocked() function and only for packers other than ICMP, = UDP, TCP and SCTP passing its "create" argument unmodified. For every NAT instance, "ipfw nat global" code calls LibAliasOutTry() with create=3D0 that leads to LibAliasOutLocked() call and then to ProtoAliasOut= () that returns PKT_ALIAS_OK. So, "ipfw nat global" translates non-ICP/UDP/TCP/SCTP packet using last configured instance (first in the ch= ain) and that may be wrong. Attached patch makes ProtoAliasOut() respect its "create" argument and stop translation in case of create =3D=3D 0 with return of PKT_ALIAS_IGNORED. We have only two consumers of LibAliasOutLocked() in the source tree callin= g it with create !=3D 1: mentioned "ipfw nat global" code and similar natd code = having same problem. The patch fixes it too. All other consumers of LibAliasOutLocked() call it with create =3D 1 and patch is "no-op" for such= case. For example, the patch unbreaks translation of outgoing transit PPtP/GRE connections for described configuration. --=20 You are receiving this mail because: You are the assignee for the bug.=