svn commit: r337948 - in stable: 10/sys/contrib/ipfilter/netinet 11/sys/contrib/ipfilter/netinet
Cy Schubert
cy at FreeBSD.org
Fri Aug 17 02:46:37 UTC 2018
Author: cy
Date: Fri Aug 17 02:46:36 2018
New Revision: 337948
URL: https://svnweb.freebsd.org/changeset/base/337948
Log:
MFC r337558, r337560
r337558:
Identify the return value (rval) that led to the IPv4 NAT failure
in ipf_nat_checkout() and report it in the frb_natv4out and frb_natv4in
dtrace probes.
This is currently being used to diagnose NAT failures in PR/208566. It's
rather handy so this commit makes it available for future diagnosis and
debugging efforts.
PR: 208566
r337560:
Correct a comment. Should have been detected by ipf_nat_in() not
ipf_nat_out().
Modified:
stable/10/sys/contrib/ipfilter/netinet/ip_nat.c
Directory Properties:
stable/10/ (props changed)
Changes in other areas also in this revision:
Modified:
stable/11/sys/contrib/ipfilter/netinet/ip_nat.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/10/sys/contrib/ipfilter/netinet/ip_nat.c
==============================================================================
--- stable/10/sys/contrib/ipfilter/netinet/ip_nat.c Fri Aug 17 01:59:19 2018 (r337947)
+++ stable/10/sys/contrib/ipfilter/netinet/ip_nat.c Fri Aug 17 02:46:36 2018 (r337948)
@@ -4956,7 +4956,7 @@ retry_roundrobin:
case 0 :
continue;
case -1 :
- rval = -1;
+ rval = -3;
goto outmatchfail;
case 1 :
default :
@@ -5001,7 +5001,7 @@ retry_roundrobin:
natfailed = 0;
break;
}
- natfailed = -1;
+ natfailed = -2;
}
if ((np == NULL) && (nmsk < softn->ipf_nat_map_max)) {
nmsk++;
@@ -5026,15 +5026,23 @@ outmatchfail:
switch (rval)
{
+ case -3 :
+ /* ipf_nat_match() failure */
+ /* FALLTHROUGH */
+ case -2 :
+ /* retry_roundrobin loop failure */
+ /* FALLTHROUGH */
case -1 :
+ /* proxy failure detected by ipf_nat_out() */
if (passp != NULL) {
- DT1(frb_natv4out, fr_info_t *, fin);
+ DT2(frb_natv4out, fr_info_t *, fin, int, rval);
NBUMPSIDED(1, ns_drop);
*passp = FR_BLOCK;
fin->fin_reason = FRB_NATV4;
}
fin->fin_flx |= FI_BADNAT;
NBUMPSIDED(1, ns_badnat);
+ rval = -1; /* We only return -1 on error. */
break;
case 0 :
NBUMPSIDE(1, ns_ignored);
@@ -5442,7 +5450,7 @@ retry_roundrobin:
case 0 :
continue;
case -1 :
- rval = -1;
+ rval = -3;
goto inmatchfail;
case 1 :
default :
@@ -5489,7 +5497,7 @@ retry_roundrobin:
natfailed = 0;
break;
}
- natfailed = -1;
+ natfailed = -2;
}
if ((np == NULL) && (rmsk < softn->ipf_nat_rdr_max)) {
rmsk++;
@@ -5514,15 +5522,23 @@ inmatchfail:
switch (rval)
{
+ case -3 :
+ /* ipf_nat_match() failure */
+ /* FALLTHROUGH */
+ case -2 :
+ /* retry_roundrobin loop failure */
+ /* FALLTHROUGH */
case -1 :
+ /* proxy failure detected by ipf_nat_in() */
if (passp != NULL) {
- DT1(frb_natv4in, fr_info_t *, fin);
+ DT2(frb_natv4in, fr_info_t *, fin, int, rval);
NBUMPSIDED(0, ns_drop);
*passp = FR_BLOCK;
fin->fin_reason = FRB_NATV4;
}
fin->fin_flx |= FI_BADNAT;
NBUMPSIDED(0, ns_badnat);
+ rval = -1; /* We only return -1 on error. */
break;
case 0 :
NBUMPSIDE(0, ns_ignored);
More information about the svn-src-stable-10
mailing list