kern/122109: commit references a PR

dfilter service dfilter at FreeBSD.ORG
Tue Jun 7 06:50:10 UTC 2011 

The following reply was made to PR kern/122109; it has been noted by GNATS.

From: dfilter at FreeBSD.ORG (dfilter service)
To: bug-followup at FreeBSD.org
Cc:  
Subject: Re: kern/122109: commit references a PR
Date: Tue,  7 Jun 2011 06:42:38 +0000 (UTC)

 Author: ae
 Date: Tue Jun  7 06:42:29 2011
 New Revision: 222806
 URL: http://svn.freebsd.org/changeset/base/222806
 
 Log:
   Make a behaviour of the libalias based in-kernel NAT a bit closer to
   how natd(8) does work. natd(8) drops packets only when libalias returns
   PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
   always did drop packets that were not aliased, even if they should
   not be aliased and just are going through.
   
   PR:		kern/122109, kern/129093, kern/157379
   Submitted by:	Alexander V. Chernikov (previous version)
   MFC after:	1 month
 
 Modified:
   head/sys/netinet/ipfw/ip_fw_nat.c
 
 Modified: head/sys/netinet/ipfw/ip_fw_nat.c
 ==============================================================================
 --- head/sys/netinet/ipfw/ip_fw_nat.c	Tue Jun  7 06:18:02 2011	(r222805)
 +++ head/sys/netinet/ipfw/ip_fw_nat.c	Tue Jun  7 06:42:29 2011	(r222806)
 @@ -262,17 +262,27 @@ ipfw_nat(struct ip_fw_args *args, struct
  	else
  		retval = LibAliasOut(t->lib, c,
  			mcl->m_len + M_TRAILINGSPACE(mcl));
 -	if (retval == PKT_ALIAS_RESPOND) {
 -		m->m_flags |= M_SKIP_FIREWALL;
 -		retval = PKT_ALIAS_OK;
 -	}
 -	if (retval != PKT_ALIAS_OK &&
 -	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
 +
 +	/*
 +	 * We drop packet when:
 +	 * 1. libalias returns PKT_ALIAS_ERROR;
 +	 * 2. For incoming packets:
 +	 *	a) for unresolved fragments;
 +	 *	b) libalias returns PKT_ALIAS_IGNORED and
 +	 *		PKT_ALIAS_DENY_INCOMING flag is set.
 +	 */
 +	if (retval == PKT_ALIAS_ERROR ||
 +	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
 +	    (retval == PKT_ALIAS_IGNORED &&
 +	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
  		/* XXX - should i add some logging? */
  		m_free(mcl);
  		args->m = NULL;
  		return (IP_FW_DENY);
  	}
 +
 +	if (retval == PKT_ALIAS_RESPOND)
 +		m->m_flags |= M_SKIP_FIREWALL;
  	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
  
  	/*
 _______________________________________________
 svn-src-all at freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list