svn commit: r223836 - stable/8/sys/netgraph
Andrey V. Elsukov
ae at FreeBSD.org
Thu Jul 7 09:32:44 UTC 2011
Author: ae
Date: Thu Jul 7 09:32:43 2011
New Revision: 223836
URL: http://svn.freebsd.org/changeset/base/223836
Log:
MFC r222808:
Sync ng_nat with recent (r222806) ipfw_nat changes:
Make a behaviour of the libalias based in-kernel NAT a bit closer to
how natd(8) does work. natd(8) drops packets only when libalias returns
PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
always did drop packets that were not aliased, even if they should
not be aliased and just are going through.
Also add SCTP support: mark response packets to skip firewall processing.
Modified:
stable/8/sys/netgraph/ng_nat.c
Directory Properties:
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
Modified: stable/8/sys/netgraph/ng_nat.c
==============================================================================
--- stable/8/sys/netgraph/ng_nat.c Thu Jul 7 09:29:11 2011 (r223835)
+++ stable/8/sys/netgraph/ng_nat.c Thu Jul 7 09:32:43 2011 (r223836)
@@ -43,6 +43,7 @@
#include <machine/in_cksum.h>
#include <netinet/libalias/alias.h>
+#include <netinet/libalias/alias_local.h>
#include <netgraph/ng_message.h>
#include <netgraph/ng_parse.h>
@@ -703,22 +704,35 @@ ng_nat_rcvdata(hook_p hook, item_p item
KASSERT(m->m_pkthdr.len == ntohs(ip->ip_len),
("ng_nat: ip_len != m_pkthdr.len"));
+ /*
+ * We drop packet when:
+ * 1. libalias returns PKT_ALIAS_ERROR;
+ * 2. For incoming packets:
+ * a) for unresolved fragments;
+ * b) libalias returns PKT_ALIAS_IGNORED and
+ * PKT_ALIAS_DENY_INCOMING flag is set.
+ */
if (hook == priv->in) {
rval = LibAliasIn(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
- if (rval != PKT_ALIAS_OK &&
- rval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+ if (rval == PKT_ALIAS_ERROR ||
+ rval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+ (rval == PKT_ALIAS_IGNORED &&
+ (priv->lib->packetAliasMode &
+ PKT_ALIAS_DENY_INCOMING) != 0)) {
NG_FREE_ITEM(item);
return (EINVAL);
}
} else if (hook == priv->out) {
rval = LibAliasOut(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
- if (rval != PKT_ALIAS_OK) {
+ if (rval == PKT_ALIAS_ERROR) {
NG_FREE_ITEM(item);
return (EINVAL);
}
} else
panic("ng_nat: unknown hook!\n");
+ if (rval == PKT_ALIAS_RESPOND)
+ m->m_flags |= M_SKIP_FIREWALL;
m->m_pkthdr.len = m->m_len = ntohs(ip->ip_len);
if ((ip->ip_off & htons(IP_OFFMASK)) == 0 &&
More information about the svn-src-all
mailing list