svn commit: r222808 - head/sys/netgraph

Mon, 06 Jun 2011 23:49:42 -0700 

Author: ae
Date: Tue Jun  7 06:48:42 2011
New Revision: 222808
URL: http://svn.freebsd.org/changeset/base/222808

Log:
  Sync ng_nat with recent (r222806) ipfw_nat changes:
  
    Make a behaviour of the libalias based in-kernel NAT a bit closer to
    how natd(8) does work. natd(8) drops packets only when libalias returns
    PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
    always did drop packets that were not aliased, even if they should
    not be aliased and just are going through.
  
  Also add SCTP support: mark response packets to skip firewall processing.
  
  MFC after:    1 month

Modified:
  head/sys/netgraph/ng_nat.c

Modified: head/sys/netgraph/ng_nat.c
==============================================================================
--- head/sys/netgraph/ng_nat.c  Tue Jun  7 06:45:51 2011        (r222807)
+++ head/sys/netgraph/ng_nat.c  Tue Jun  7 06:48:42 2011        (r222808)
@@ -43,6 +43,7 @@
 #include <machine/in_cksum.h>
 
 #include <netinet/libalias/alias.h>
+#include <netinet/libalias/alias_local.h>
 
 #include <netgraph/ng_message.h>
 #include <netgraph/ng_parse.h>
@@ -696,22 +697,35 @@ ng_nat_rcvdata(hook_p hook, item_p item 
        KASSERT(m->m_pkthdr.len == ntohs(ip->ip_len),
            ("ng_nat: ip_len != m_pkthdr.len"));
 
+       /*
+        * We drop packet when:
+        * 1. libalias returns PKT_ALIAS_ERROR;
+        * 2. For incoming packets:
+        *      a) for unresolved fragments;
+        *      b) libalias returns PKT_ALIAS_IGNORED and
+        *              PKT_ALIAS_DENY_INCOMING flag is set.
+        */
        if (hook == priv->in) {
                rval = LibAliasIn(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
-               if (rval != PKT_ALIAS_OK &&
-                   rval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+               if (rval == PKT_ALIAS_ERROR ||
+                   rval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+                   (rval == PKT_ALIAS_IGNORED &&
+                    (priv->lib->packetAliasMode &
+                     PKT_ALIAS_DENY_INCOMING) != 0)) {
                        NG_FREE_ITEM(item);
                        return (EINVAL);
                }
        } else if (hook == priv->out) {
                rval = LibAliasOut(priv->lib, c, m->m_len + M_TRAILINGSPACE(m));
-               if (rval != PKT_ALIAS_OK) {
+               if (rval == PKT_ALIAS_ERROR) {
                        NG_FREE_ITEM(item);
                        return (EINVAL);
                }
        } else
                panic("ng_nat: unknown hook!\n");
 
+       if (rval == PKT_ALIAS_RESPOND)
+               m->m_flags |= M_SKIP_FIREWALL;
        m->m_pkthdr.len = m->m_len = ntohs(ip->ip_len);
 
        if ((ip->ip_off & htons(IP_OFFMASK)) == 0 &&
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"

Reply via email to