git: 9a538abd957c - main - pf: add 'translation' counter

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 12 Feb 2025 09:38:43 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=9a538abd957cd43bd09e3d72bc5fe6d0189ffaf8

commit 9a538abd957cd43bd09e3d72bc5fe6d0189ffaf8
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-05 10:58:57 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-12 08:29:09 +0000

    pf: add 'translation' counter
    
    Add a separate "translation" counter and use this rather than "memory"
    when address translation fails due to no free ports in the configured range.
    ok mikeb@
    
    Obtained from:  OpenBSD, sthen <sthen@openbsd.org>, 70ff79155f
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 4 ++--
 sys/netpfil/pf/pf.h | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 4d8a0f2aba31..9963dc728302 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5823,7 +5823,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
 					pd->naf = r->naf;
 				if (pd->af != pd->naf) {
 					if (pf_get_transaddr_af(r, pd) == -1) {
-						REASON_SET(&reason, PFRES_MEMORY);
+						REASON_SET(&reason, PFRES_TRANSLATE);
 						goto cleanup;
 					}
 				}
@@ -5863,7 +5863,7 @@ nextrule:
 		pd->naf = r->naf;
 	if (pd->af != pd->naf) {
 		if (pf_get_transaddr_af(r, pd) == -1) {
-			REASON_SET(&reason, PFRES_MEMORY);
+			REASON_SET(&reason, PFRES_TRANSLATE);
 			goto cleanup;
 		}
 	}
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index 24249ead6ba2..01c1abc54602 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -156,7 +156,8 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 #define PFRES_SRCLIMIT	13		/* Source node/conn limit */
 #define PFRES_SYNPROXY	14		/* SYN proxy */
 #define PFRES_MAPFAILED	15		/* pf_map_addr() failed */
-#define PFRES_MAX	16		/* total+1 */
+#define PFRES_TRANSLATE	16		/* No translation address available */
+#define PFRES_MAX	17		/* total+1 */
 
 #define PFRES_NAMES { \
 	"match", \
@@ -175,6 +176,7 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 	"src-limit", \
 	"synproxy", \
 	"map-failed", \
+	"translate", \
 	NULL \
 }