svn commit: r223837 - stable/7/sys/netinet
Andrey V. Elsukov
ae at FreeBSD.org
Thu Jul 7 09:42:33 UTC 2011
Author: ae
Date: Thu Jul 7 09:42:32 2011
New Revision: 223837
URL: http://svn.freebsd.org/changeset/base/223837
Log:
MFC r222806:
Make a behaviour of the libalias based in-kernel NAT a bit closer to
how natd(8) does work. natd(8) drops packets only when libalias returns
PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
always did drop packets that were not aliased, even if they should
not be aliased and just are going through.
PR: kern/122109, kern/129093, kern/157379
Submitted by: Alexander V. Chernikov (previous version)
Modified:
stable/7/sys/netinet/ip_fw_nat.c
Directory Properties:
stable/7/sys/ (props changed)
stable/7/sys/cddl/contrib/opensolaris/ (props changed)
stable/7/sys/contrib/dev/acpica/ (props changed)
stable/7/sys/contrib/pf/ (props changed)
Modified: stable/7/sys/netinet/ip_fw_nat.c
==============================================================================
--- stable/7/sys/netinet/ip_fw_nat.c Thu Jul 7 09:32:43 2011 (r223836)
+++ stable/7/sys/netinet/ip_fw_nat.c Thu Jul 7 09:42:32 2011 (r223837)
@@ -322,8 +322,18 @@ ipfw_nat(struct ip_fw_args *args, struct
else
retval = LibAliasOut(t->lib, c,
mcl->m_len + M_TRAILINGSPACE(mcl));
- if (retval != PKT_ALIAS_OK &&
- retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+ /*
+ * We drop packet when:
+ * 1. libalias returns PKT_ALIAS_ERROR;
+ * 2. For incoming packets:
+ * a) for unresolved fragments;
+ * b) libalias returns PKT_ALIAS_IGNORED and
+ * PKT_ALIAS_DENY_INCOMING flag is set.
+ */
+ if (retval == PKT_ALIAS_ERROR ||
+ (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+ (retval == PKT_ALIAS_IGNORED &&
+ (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
/* XXX - should i add some logging? */
m_free(mcl);
badnat:
More information about the svn-src-stable-7
mailing list