svn commit: r223835 - stable/8/sys/netinet/ipfw

Thu, 07 Jul 2011 02:29:42 -0700 

Author: ae
Date: Thu Jul  7 09:29:11 2011
New Revision: 223835
URL: http://svn.freebsd.org/changeset/base/223835

Log:
  MFC r222806:
    Make a behaviour of the libalias based in-kernel NAT a bit closer to
    how natd(8) does work. natd(8) drops packets only when libalias returns
    PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
    always did drop packets that were not aliased, even if they should
    not be aliased and just are going through.
  
    PR:         kern/122109, kern/129093, kern/157379
    Submitted by:       Alexander V. Chernikov (previous version)

Modified:
  stable/8/sys/netinet/ipfw/ip_fw_nat.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/netinet/ipfw/ip_fw_nat.c
==============================================================================
--- stable/8/sys/netinet/ipfw/ip_fw_nat.c       Thu Jul  7 08:33:58 2011        
(r223834)
+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c       Thu Jul  7 09:29:11 2011        
(r223835)
@@ -263,17 +263,27 @@ ipfw_nat(struct ip_fw_args *args, struct
        else
                retval = LibAliasOut(t->lib, c,
                        mcl->m_len + M_TRAILINGSPACE(mcl));
-       if (retval == PKT_ALIAS_RESPOND) {
-               m->m_flags |= M_SKIP_FIREWALL;
-               retval = PKT_ALIAS_OK;
-       }
-       if (retval != PKT_ALIAS_OK &&
-           retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+       /*
+        * We drop packet when:
+        * 1. libalias returns PKT_ALIAS_ERROR;
+        * 2. For incoming packets:
+        *      a) for unresolved fragments;
+        *      b) libalias returns PKT_ALIAS_IGNORED and
+        *              PKT_ALIAS_DENY_INCOMING flag is set.
+        */
+       if (retval == PKT_ALIAS_ERROR ||
+           (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+           (retval == PKT_ALIAS_IGNORED &&
+           (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
                /* XXX - should i add some logging? */
                m_free(mcl);
                args->m = NULL;
                return (IP_FW_DENY);
        }
+
+       if (retval == PKT_ALIAS_RESPOND)
+               m->m_flags |= M_SKIP_FIREWALL;
        mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
 
        /*
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"

Reply via email to