From owner-svn-src-stable@freebsd.org Wed Dec 26 12:54:25 2018 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A906C1350A97; Wed, 26 Dec 2018 12:54:25 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 45F7481F4B; Wed, 26 Dec 2018 12:54:25 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1EEB923DAC; Wed, 26 Dec 2018 12:54:25 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wBQCsPDw010838; Wed, 26 Dec 2018 12:54:25 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wBQCsOGt010835; Wed, 26 Dec 2018 12:54:24 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201812261254.wBQCsOGt010835@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Wed, 26 Dec 2018 12:54:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r342542 - stable/12/sys/netpfil/pf X-SVN-Group: stable-12 X-SVN-Commit-Author: kp X-SVN-Commit-Paths: stable/12/sys/netpfil/pf X-SVN-Commit-Revision: 342542 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 45F7481F4B X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.961,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.998,0] X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Dec 2018 12:54:25 -0000 Author: kp Date: Wed Dec 26 12:54:24 2018 New Revision: 342542 URL: https://svnweb.freebsd.org/changeset/base/342542 Log: MFC r341998: pf: Fix endless loop on NAT exhaustion with sticky-address When we try to find a source port in pf_get_sport() it's possible that all available source ports will be in use. In that case we call pf_map_addr() to try to find a new source IP to try from. If there are no more available source IPs pf_map_addr() will return 1 and we stop trying. However, if sticky-address is set we'll always return the same IP address, even if we've already tried that one. We need to check the supplied address, because if that's the one we'd set it means pf_get_sport() has already tried it, and we should error out rather than keep trying. PR: 233867 Modified: stable/12/sys/netpfil/pf/pf.c stable/12/sys/netpfil/pf/pf_lb.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netpfil/pf/pf.c ============================================================================== --- stable/12/sys/netpfil/pf/pf.c Wed Dec 26 11:03:14 2018 (r342541) +++ stable/12/sys/netpfil/pf/pf.c Wed Dec 26 12:54:24 2018 (r342542) @@ -5513,6 +5513,8 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, dst.sin_len = sizeof(dst); dst.sin_addr = ip->ip_dst; + bzero(&naddr, sizeof(naddr)); + if (TAILQ_EMPTY(&r->rpool.list)) { DPFPRINTF(PF_DEBUG_URGENT, ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); @@ -5671,6 +5673,8 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, dst.sin6_family = AF_INET6; dst.sin6_len = sizeof(dst); dst.sin6_addr = ip6->ip6_dst; + + bzero(&naddr, sizeof(naddr)); if (TAILQ_EMPTY(&r->rpool.list)) { DPFPRINTF(PF_DEBUG_URGENT, Modified: stable/12/sys/netpfil/pf/pf_lb.c ============================================================================== --- stable/12/sys/netpfil/pf/pf_lb.c Wed Dec 26 11:03:14 2018 (r342541) +++ stable/12/sys/netpfil/pf/pf_lb.c Wed Dec 26 12:54:24 2018 (r342542) @@ -324,6 +324,12 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct src node was created just a moment ago in pf_create_state and it needs to be filled in with routing decision calculated here. */ if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { + /* If the supplied address is the same as the current one we've + * been asked before, so tell the caller that there's no other + * address to be had. */ + if (PF_AEQ(naddr, &(*sn)->raddr, af)) + return (1); + PF_ACPY(naddr, &(*sn)->raddr, af); if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("pf_map_addr: src tracking maps ");