svn commit: r337558 - head/sys/contrib/ipfilter/netinet

Fri Aug 10 00:04:34 UTC 2018

Author: cy
Date: Fri Aug 10 00:04:32 2018
New Revision: 337558
URL: https://svnweb.freebsd.org/changeset/base/337558

Log:
  Identify the return value (rval) that led to the IPv4 NAT failure
  in ipf_nat_checkout() and report it in the frb_natv4out and frb_natv4in
  dtrace probes.
  
  This is currently being used to diagnose NAT failures in PR/208566. It's
  rather handy so this commit makes it available for future diagnosis and
  debugging efforts.
  
  PR:		208566
  MFC after:	1 week

Modified:
  head/sys/contrib/ipfilter/netinet/ip_nat.c

Modified: head/sys/contrib/ipfilter/netinet/ip_nat.c
==============================================================================

--- head/sys/contrib/ipfilter/netinet/ip_nat.c	Fri Aug 10 00:01:21 2018	(r337557)
+++ head/sys/contrib/ipfilter/netinet/ip_nat.c	Fri Aug 10 00:04:32 2018	(r337558)
@@ -4951,7 +4951,7 @@ retry_roundrobin:
 				case 0 :
 					continue;
 				case -1 :
-					rval = -1;
+					rval = -3;
 					goto outmatchfail;
 				case 1 :
 				default :
@@ -4996,7 +4996,7 @@ retry_roundrobin:
 				natfailed = 0;
 				break;
 			}
-			natfailed = -1;
+			natfailed = -2;
 		}
 		if ((np == NULL) && (nmsk < softn->ipf_nat_map_max)) {
 			nmsk++;
@@ -5021,15 +5021,23 @@ outmatchfail:
 
 	switch (rval)
 	{
+	case -3 :
+		/* ipf_nat_match() failure */
+		/* FALLTHROUGH */
+	case -2 :
+		/* retry_roundrobin loop failure */
+		/* FALLTHROUGH */
 	case -1 :
+		/* proxy failure detected by ipf_nat_out() */
 		if (passp != NULL) {
-			DT1(frb_natv4out, fr_info_t *, fin);
+			DT2(frb_natv4out, fr_info_t *, fin, int, rval);
 			NBUMPSIDED(1, ns_drop);
 			*passp = FR_BLOCK;
 			fin->fin_reason = FRB_NATV4;
 		}
 		fin->fin_flx |= FI_BADNAT;
 		NBUMPSIDED(1, ns_badnat);
+		rval = -1;	/* We only return -1 on error. */
 		break;
 	case 0 :
 		NBUMPSIDE(1, ns_ignored);
@@ -5437,7 +5445,7 @@ retry_roundrobin:
 				case 0 :
 					continue;
 				case -1 :
-					rval = -1;
+					rval = -3;
 					goto inmatchfail;
 				case 1 :
 				default :
@@ -5484,7 +5492,7 @@ retry_roundrobin:
 				natfailed = 0;
 				break;
 			}
-			natfailed = -1;
+			natfailed = -2;
 		}
 		if ((np == NULL) && (rmsk < softn->ipf_nat_rdr_max)) {
 			rmsk++;
@@ -5509,15 +5517,23 @@ inmatchfail:
 
 	switch (rval)
 	{
+	case -3 :
+		/* ipf_nat_match() failure */
+		/* FALLTHROUGH */
+	case -2 :
+		/* retry_roundrobin loop failure */
+		/* FALLTHROUGH */
 	case -1 :
+		/* proxy failure detected by ipf_nat_out() */
 		if (passp != NULL) {
-			DT1(frb_natv4in, fr_info_t *, fin);
+			DT2(frb_natv4in, fr_info_t *, fin, int, rval);
 			NBUMPSIDED(0, ns_drop);
 			*passp = FR_BLOCK;
 			fin->fin_reason = FRB_NATV4;
 		}
 		fin->fin_flx |= FI_BADNAT;
 		NBUMPSIDED(0, ns_badnat);
+		rval = -1;	/* We only return -1 on error. */
 		break;
 	case 0 :
 		NBUMPSIDE(0, ns_ignored);
