Author: ae
Date: Thu Apr 12 21:13:30 2018
New Revision: 332457
URL: https://svnweb.freebsd.org/changeset/base/332457
Log:
Use cfg->nomatch_verdict as return value from NAT64LSN handler when
given mbuf is considered as not matched.
If mbuf was consumed or freed during handling, we must return
IP_FW_DENY, since ipfw's pfil handler ipfw_check_packet() expects
IP_FW_DENY when mbuf pointer is NULL. This fixes KASSERT panics
when NAT64 is used with INVARIANTS. Also remove unused nomatch_final
field from struct nat64lsn_cfg.
Reported by: Justin Holcomb <justin at justinholcomb dot me>
Obtained from: Yandex LLC
MFC after: 1 week
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/nat64/nat64lsn.c
head/sys/netpfil/ipfw/nat64/nat64lsn.h
head/sys/netpfil/ipfw/nat64/nat64lsn_control.c
Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c
==============================================================================
--- head/sys/netpfil/ipfw/nat64/nat64lsn.c Thu Apr 12 21:05:20 2018
(r332456)
+++ head/sys/netpfil/ipfw/nat64/nat64lsn.c Thu Apr 12 21:13:30 2018
(r332457)
@@ -351,10 +351,11 @@ nat64lsn_translate4(struct nat64lsn_cfg *cfg, const st
if (nat_proto == NAT_PROTO_ICMP) {
ret = inspect_icmp_mbuf(pm, &nat_proto, &addr, &port);
if (ret != 0) {
- if (ret == ENOMEM)
+ if (ret == ENOMEM) {
NAT64STAT_INC(&cfg->stats, nomem);
- else
- NAT64STAT_INC(&cfg->stats, noproto);
+ return (IP_FW_DENY);
+ }
+ NAT64STAT_INC(&cfg->stats, noproto);
return (cfg->nomatch_verdict);
}
/* XXX: Check addr for validity */
@@ -416,7 +417,7 @@ nat64lsn_translate4(struct nat64lsn_cfg *cfg, const st
&cfg->stats, logdata);
if (ret == NAT64SKIP)
- return (IP_FW_PASS);
+ return (cfg->nomatch_verdict);
if (ret == NAT64MFREE)
m_freem(*pm);
*pm = NULL;
@@ -1362,7 +1363,7 @@ nat64lsn_request_host(struct nat64lsn_cfg *cfg,
NAT64STAT_INC(&cfg->stats, jhostsreq);
}
- return (IP_FW_PASS);
+ return (IP_FW_DENY);
}
static NAT64NOINLINE int
@@ -1391,7 +1392,7 @@ nat64lsn_request_portgroup(struct nat64lsn_cfg *cfg,
NAT64STAT_INC(&cfg->stats, jportreq);
}
- return (IP_FW_PASS);
+ return (IP_FW_DENY);
}
static NAT64NOINLINE struct nat64lsn_state *
@@ -1595,7 +1596,7 @@ nat64lsn_translate6(struct nat64lsn_cfg *cfg, struct i
action = nat64_do_handle_ip6(*pm, aaddr, aport, &cfg->stats, logdata);
if (action == NAT64SKIP)
- return (IP_FW_PASS);
+ return (cfg->nomatch_verdict);
if (action == NAT64MFREE)
m_freem(*pm);
*pm = NULL; /* mark mbuf as consumed */
@@ -1631,7 +1632,7 @@ ipfw_nat64lsn(struct ip_fw_chain *ch, struct ip_fw_arg
ret = nat64lsn_translate6(cfg, &args->f_id, &args->m);
break;
default:
- return (0);
+ return (cfg->nomatch_verdict);
}
return (ret);
}
Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.h
==============================================================================
--- head/sys/netpfil/ipfw/nat64/nat64lsn.h Thu Apr 12 21:05:20 2018
(r332456)
+++ head/sys/netpfil/ipfw/nat64/nat64lsn.h Thu Apr 12 21:13:30 2018
(r332457)
@@ -199,7 +199,6 @@ struct nat64lsn_cfg {
uint8_t plen4;
uint8_t plen6;
uint8_t nomatch_verdict;/* What to return to ipfw on no-match */
- uint8_t nomatch_final; /* Exit outer loop? */
struct in6_addr prefix6; /* IPv6 prefix to embed IPv4 hosts */
uint32_t ihcount; /* Number of items in host hash */
Modified: head/sys/netpfil/ipfw/nat64/nat64lsn_control.c
==============================================================================
--- head/sys/netpfil/ipfw/nat64/nat64lsn_control.c Thu Apr 12 21:05:20
2018 (r332456)
+++ head/sys/netpfil/ipfw/nat64/nat64lsn_control.c Thu Apr 12 21:13:30
2018 (r332457)
@@ -190,7 +190,6 @@ nat64lsn_create(struct ip_fw_chain *ch, ip_fw3_opheade
cfg->st_icmp_ttl = uc->st_icmp_ttl;
cfg->nomatch_verdict = IP_FW_DENY;
- cfg->nomatch_final = 1; /* Exit outer loop by default */
IPFW_UH_WLOCK(ch);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
