[Bug 218968] [patch] [libalias] unbreak translation of transit PPtP/GRE for "nat global" case

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Apr 30 08:11:48 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218968

            Bug ID: 218968
           Summary: [patch] [libalias] unbreak translation of transit
                    PPtP/GRE for "nat global" case
           Product: Base System
           Version: 11.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: eugen at freebsd.org
          Keywords: patch

Created attachment 182189
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=182189&action=edit
fix libalias for LibAliasOutTry() case

Assume we have several ipfw nat (or natd) instances and utilize "nat global"
feature to select alias_address for outgoing packets that already have
corresponding state in one of aliasing instances. This standard setup works
just fine for ICMP, UDP, TCP and SCTP packes but not for others. For example,
outgoing PPtP/GRE packets always get alias_address of latest configured
instance no matter whether such packet has corresponding state or not.

The bug is in ProtoAliasOut() function that ignores its "create" argument and
performs translation regardless of its value. This static function is called
only by LibAliasOutLocked() function and only for packers other than ICMP, UDP,
TCP and SCTP passing its "create" argument unmodified.

For every NAT instance, "ipfw nat global" code calls LibAliasOutTry() with
create=0 that leads to LibAliasOutLocked() call and then to ProtoAliasOut()
that returns PKT_ALIAS_OK. So, "ipfw nat global" translates
non-ICP/UDP/TCP/SCTP packet using last configured instance (first in the chain)
and that may be wrong.

Attached patch makes ProtoAliasOut() respect its "create" argument and stop
translation in case of create == 0 with return of PKT_ALIAS_IGNORED.

We have only two consumers of LibAliasOutLocked() in the source tree calling it
with create != 1: mentioned "ipfw nat global" code and similar natd code having
same problem. The patch fixes it too. All other consumers of
LibAliasOutLocked() call it with create = 1 and patch is "no-op" for such case.

For example, the patch unbreaks translation of outgoing transit PPtP/GRE
connections for described configuration.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list