From nobody@FreeBSD.org  Wed Mar 26 09:44:51 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 73329106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Mar 2008 09:44:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 659538FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Mar 2008 09:44:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m2Q9iaUF029154
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Mar 2008 09:44:36 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m2Q9iahr029153;
	Wed, 26 Mar 2008 09:44:36 GMT
	(envelope-from nobody)
Message-Id: <200803260944.m2Q9iahr029153@www.freebsd.org>
Date: Wed, 26 Mar 2008 09:44:36 GMT
From: Mikhail Dyadchenko <m.dyadchenko@211.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw nat traceroute problem
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         122109
>Category:       kern
>Synopsis:       [ipfw] ipfw nat traceroute problem
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 26 09:50:00 UTC 2008
>Closed-Date:    Thu Jul 07 09:43:16 UTC 2011
>Last-Modified:  Thu Jul  7 09:50:09 UTC 2011
>Originator:     Mikhail Dyadchenko
>Release:        7.0-STABLE
>Organization:
SibSet LTD
>Environment:
FreeBSD lo0.ru 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat Mar 22 12:14:16 NOVT 2008     root@lo0.ru:/usr/obj/usr/src/sys/lo0  amd64
>Description:
Problem in NAT'ing traceroute icmp answers.

traceroute to ya.ru (213.180.204.8), 64 hops max, 52 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * ^C
Tcpdump on interface show icmp packet's to from all hops on trace
Then i put a rule to skipto icmp traffic over nat rules - a got an answer's.
So probably packets drop in kernel libalias or in ipfw nat.

net.inet.ip.fw.one_pass: 0

Problem detect after mirgation from natd + divert.

Traceroute from internal network work's fine.

Kernel compiled after csup src-all





>How-To-Repeat:
nve0 - external interface
ipfw output

ipfw nat 400 config ip xxx.xxx.xxx.xxx same_ports
09500        64         3971 skipto 65000 icmp from any to any
10000  20464225  25206636648 nat 400 ip from 10.1.255.0/28 to any via nve0
10100  13407049   3332989310 nat 400 ip from any to xxx.xxx.xxx.xxx via nve0
10200        30         1200 deny ip from not xxx.xxx.xxx.xxx to any out xmit nve0
65000 181231789 158968737448 allow ip from any to any

Then i remove 09500 rule - icmp packets die on nat rule

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Mar 26 16:38:03 UTC 2008 
Responsible-Changed-Why:  
reassign to ipfw 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 
Responsible-Changed-From-To: freebsd-ipfw->piso 
Responsible-Changed-By: piso 
Responsible-Changed-When: Wed Mar 26 20:32:04 UTC 2008 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 
Responsible-Changed-From-To: piso->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Sep 16 17:10:45 UTC 2010 
Responsible-Changed-Why:  
piso's bit has been returned. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 

From: "Alexander V. Chernikov" <melifaro@ipfw.ru>
To: bug-followup@FreeBSD.org, m.dyadchenko@211.ru
Cc:  
Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem
Date: Wed, 22 Sep 2010 01:24:40 +0400

 Problem can be fixed with a small patch:
 
 --- /usr/src/sys/netinet/libalias/alias.c.orig  2010-09-22
 01:07:19.000000000 +0400
 +++ /usr/src/sys/netinet/libalias/alias.c       2010-09-22
 01:11:11.000000000 +0400
 @@ -432,7 +432,7 @@
                 }
                 return (PKT_ALIAS_OK);
         }
 -       return (PKT_ALIAS_IGNORED);
 +       return (PKT_ALIAS_OK);
  }
 
 
 IcmpAliasIn2() doesn't create state for incoming packets (like
 IcmpAliasIn1() does)
 
 IcmpAliasIn2() is called only in case of
 ICMP_UNREACH|ICMP_SOURCEQUENCH|ICMP_TIMXCEED|ICMP_PARAMPROB
 
 If incoming icmp packet of given type is not found in internal state
 table we can just pass it to the host system (back to ipfw or netgraph
 hook, really) without even creating state

From: ten <dm@211.ru>
To: bug-followup@FreeBSD.org, m.dyadchenko@211.ru
Cc:  
Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem
Date: Mon, 18 Apr 2011 22:41:45 +0700

 --20cf30563995a1b54304a1333ac0
 Content-Type: text/plain; charset=ISO-8859-1
 
 Work's fine.
 mfc ?
 
 
 --- sys/netinet/libalias/alias.c.orig   2010-09-10 03:28:46.000000000 +0700
 +++ sys/netinet/libalias/alias.c        2011-04-18 22:05:07.000000000 +0700
 @@ -423,7 +423,7 @@
                 }
                 return (PKT_ALIAS_OK);
         }
 -       return (PKT_ALIAS_IGNORED);
 +       return (PKT_ALIAS_OK);
  }
 
 --20cf30563995a1b54304a1333ac0
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Work&#39;s fine.<br>mfc ?<br><br><br>--- sys/netinet/libalias/alias.c.orig=
 =A0=A0 2010-09-10 03:28:46.000000000 +0700<br>+++ sys/netinet/libalias/alia=
 s.c=A0=A0=A0=A0=A0=A0=A0 2011-04-18 22:05:07.000000000 +0700<br>@@ -423,7 +=
 423,7 @@<br>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 }<br>
 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 return (PKT_ALIAS_OK);<br>=A0=
 =A0=A0=A0=A0=A0=A0 }<br>-=A0=A0=A0=A0=A0=A0 return (PKT_ALIAS_IGNORED);<br>=
 +=A0=A0=A0=A0=A0=A0 return (PKT_ALIAS_OK);<br>=A0}<br><br>
 
 --20cf30563995a1b54304a1333ac0--

From: "Alexander V. Chernikov" <melifaro@ipfw.ru>
To: bug-followup@FreeBSD.org, m.dyadchenko@211.ru, ae@FreeBSD.org
Cc:  
Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem
Date: Fri, 03 Jun 2011 10:08:13 +0400

 Problem is actually a bit deeper.
 
 Before libalias-based kernel nat appears natd uses PKT_ALIAS_IGNORE
 retrun code to drop packets iff PKT_ALIAS_DENY_INCOMING flag is set:
 
                status = LibAliasIn (mla, buf, IP_MAXPACKET);
                 if (status == PKT_ALIAS_IGNORED &&
                     mip->dropIgnoredIncoming) {
 
                         if (verbose)
                                 printf (" dropped.\n");
 
 
 Current ipfw nat (and ng_nat) implementation simply drops every packet
 with PKT_ALIAS_IGNORE return code:
 
        if (retval != PKT_ALIAS_OK &&
            retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
                 /* XXX - should i add some logging? */
                 m_free(mcl);
 
 Most of PKT_ALIAS_IGNORED are returned in case of no state is found (the
 rest are some (possibly) very rare unknown errors/handlers error).
 
 Libalias automatically create new state for every packet not found in
 aliasing database if it reasonable to do so (TCP/UDP packets is
 definitely reasonable since they represent logical sessions, icmp
 req/reply is reasonable too, etc..). On the opposite, there is no reason
 for creating state for packets signaling some existing session errors
 (icmp unreach, etc..) since such packets are rare/unidirectional and no
 reply is needed.
 
 The only 2 places states are not created (not mentioning
 PKT_ALIAS_PROXY_ONLY and PKT_ALIAS_DENY_INCOMING modes) are
 IcmpAliasIn2()|IcmpAliasOut2() functions.
 
 Those function dispatches various ICMP notification and tries to map
 those notification to existing states using original packet header
 within ICMP message. If such session is not found (PR case, since
 usually locally-originated packets are not passed to libalias and no
 replies are transmitted due to traceroute specific) return code is set
 to PKT_ALIAS_IGNORED.
 
 As a result: restoring original behavior should not break anything.
 
 This patch seems to fix the problem:
 
 Index: ip_fw_nat.c
 ===================================================================
 --- ip_fw_nat.c (revision 221263)
 +++ ip_fw_nat.c (working copy)
 @@ -267,8 +267,9 @@
                 m->m_flags |= M_SKIP_FIREWALL;
                 retval = PKT_ALIAS_OK;
         }
 -       if (retval != PKT_ALIAS_OK &&
 -           retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
 +       if (retval == PKT_ALIAS_ERROR || retval ==
 PKT_ALIAS_UNRESOLVED_FRAGMENT ||
 +               (retval == PKT_ALIAS_IGNORED &&
 +                (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING))) {
                 /* XXX - should i add some logging? */
                 m_free(mcl);
                 args->m = NULL;
 
 
 Something similar should be applied to ng_nat.c
State-Changed-From-To: open->feedback 
State-Changed-By: ae 
State-Changed-When: Mon Jun 6 07:00:37 UTC 2011 
State-Changed-Why:  
Can you test this patch? 
http://people.freebsd.org/~ae/ipfw_nat.diff 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 

From: ten <ten.nsk@gmail.com>
To: bug-followup@FreeBSD.org, m.dyadchenko@211.ru
Cc:  
Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem
Date: Mon, 6 Jun 2011 21:38:36 +0700

 --000e0cd22f68002b4704a50c0f97
 Content-Type: text/plain; charset=ISO-8859-1
 
 It seems I have too old version, and patch not applicable to me
 
 7.3-STABLE FreeBSD 7.3-STABLE #2 amd64
 
 src/sys/netinet/ip_fw_nat.c
 __FBSDID("$FreeBSD: src/sys/netinet/ip_fw_nat.c,v 1.2.2.2 2008/06/23
 14:15:53 mav Exp $");
 
 --000e0cd22f68002b4704a50c0f97
 Content-Type: text/html; charset=ISO-8859-1
 
 It seems I have too old version, and patch not applicable to me<br><br>7.3-STABLE FreeBSD 7.3-STABLE #2 amd64<br><br>src/sys/netinet/ip_fw_nat.c<br>__FBSDID(&quot;$FreeBSD: src/sys/netinet/ip_fw_nat.c,v 1.2.2.2 2008/06/23 14:15:53 mav Exp $&quot;);<br>
 <br>
 
 --000e0cd22f68002b4704a50c0f97--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122109: commit references a PR
Date: Tue,  7 Jun 2011 06:42:38 +0000 (UTC)

 Author: ae
 Date: Tue Jun  7 06:42:29 2011
 New Revision: 222806
 URL: http://svn.freebsd.org/changeset/base/222806
 
 Log:
   Make a behaviour of the libalias based in-kernel NAT a bit closer to
   how natd(8) does work. natd(8) drops packets only when libalias returns
   PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
   always did drop packets that were not aliased, even if they should
   not be aliased and just are going through.
   
   PR:		kern/122109, kern/129093, kern/157379
   Submitted by:	Alexander V. Chernikov (previous version)
   MFC after:	1 month
 
 Modified:
   head/sys/netinet/ipfw/ip_fw_nat.c
 
 Modified: head/sys/netinet/ipfw/ip_fw_nat.c
 ==============================================================================
 --- head/sys/netinet/ipfw/ip_fw_nat.c	Tue Jun  7 06:18:02 2011	(r222805)
 +++ head/sys/netinet/ipfw/ip_fw_nat.c	Tue Jun  7 06:42:29 2011	(r222806)
 @@ -262,17 +262,27 @@ ipfw_nat(struct ip_fw_args *args, struct
  	else
  		retval = LibAliasOut(t->lib, c,
  			mcl->m_len + M_TRAILINGSPACE(mcl));
 -	if (retval == PKT_ALIAS_RESPOND) {
 -		m->m_flags |= M_SKIP_FIREWALL;
 -		retval = PKT_ALIAS_OK;
 -	}
 -	if (retval != PKT_ALIAS_OK &&
 -	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
 +
 +	/*
 +	 * We drop packet when:
 +	 * 1. libalias returns PKT_ALIAS_ERROR;
 +	 * 2. For incoming packets:
 +	 *	a) for unresolved fragments;
 +	 *	b) libalias returns PKT_ALIAS_IGNORED and
 +	 *		PKT_ALIAS_DENY_INCOMING flag is set.
 +	 */
 +	if (retval == PKT_ALIAS_ERROR ||
 +	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
 +	    (retval == PKT_ALIAS_IGNORED &&
 +	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
  		/* XXX - should i add some logging? */
  		m_free(mcl);
  		args->m = NULL;
  		return (IP_FW_DENY);
  	}
 +
 +	if (retval == PKT_ALIAS_RESPOND)
 +		m->m_flags |= M_SKIP_FIREWALL;
  	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
  
  	/*
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->patched 
State-Changed-By: ae 
State-Changed-When: Tue Jun 7 06:53:46 UTC 2011 
State-Changed-Why:  
Patched in head/. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 

From: ten <dm@211.ru>
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem
Date: Tue, 14 Jun 2011 22:32:03 +0700

 --000e0cd2bd02de68fe04a5adbcee
 Content-Type: text/plain; charset=ISO-8859-1
 
 Yes, works. Thanks.
 
 On 06.06.2011 14:31, Andrey V. Elsukov wrote:
 
 > On 06.06.2011 18:50, ten wrote:
 > > Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem
 > > Date: Mon, 6 Jun 2011 21:38:36 +0700
 > >
 > >  --000e0cd22f68002b4704a50c0f97
 > >  Content-Type: text/plain; charset=ISO-8859-1
 > >
 > >  It seems I have too old version, and patch not applicable to me
 > >
 > >  7.3-STABLE FreeBSD 7.3-STABLE #2 amd64
 >
 > I adapted the patch for stable/7:
 > http://people.freebsd.org/~ae/ipfw_nat7.diff
 >
 > --
 > WBR, Andrey V. Elsukov
 >
 >
 
 --000e0cd2bd02de68fe04a5adbcee
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Yes, works. Thanks.<br><br><div class=3D"gmail_quote">On 06.06.2011 14:31, =
 Andrey V. Elsukov wrote:<br><blockquote class=3D"gmail_quote" style=3D"marg=
 in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">On 06.06.2011 1=
 8:50, ten wrote:<br>
 
 &gt; Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem<br>
 &gt; Date: Mon, 6 Jun 2011 21:38:36 +0700<br>
 &gt;<br>
 &gt; =A0--000e0cd22f68002b4704a50c0f97<br>
 &gt; =A0Content-Type: text/plain; charset=3DISO-8859-1<br>
 <div class=3D"im">&gt;<br>
 &gt; =A0It seems I have too old version, and patch not applicable to me<br>
 &gt;<br>
 &gt; =A07.3-STABLE FreeBSD 7.3-STABLE #2 amd64<br>
 <br>
 </div>I adapted the patch for stable/7:<br>
 <a href=3D"http://people.freebsd.org/%7Eae/ipfw_nat7.diff" target=3D"_blank=
 ">http://people.freebsd.org/~ae/ipfw_nat7.diff</a><br>
 <font color=3D"#888888"><br>
 --<br>
 WBR, Andrey V. Elsukov<br>
 <br>
 </font></blockquote></div><br>
 
 --000e0cd2bd02de68fe04a5adbcee--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122109: commit references a PR
Date: Thu,  7 Jul 2011 09:29:25 +0000 (UTC)

 Author: ae
 Date: Thu Jul  7 09:29:11 2011
 New Revision: 223835
 URL: http://svn.freebsd.org/changeset/base/223835
 
 Log:
   MFC r222806:
     Make a behaviour of the libalias based in-kernel NAT a bit closer to
     how natd(8) does work. natd(8) drops packets only when libalias returns
     PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
     always did drop packets that were not aliased, even if they should
     not be aliased and just are going through.
   
     PR:		kern/122109, kern/129093, kern/157379
     Submitted by:	Alexander V. Chernikov (previous version)
 
 Modified:
   stable/8/sys/netinet/ipfw/ip_fw_nat.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet/ipfw/ip_fw_nat.c
 ==============================================================================
 --- stable/8/sys/netinet/ipfw/ip_fw_nat.c	Thu Jul  7 08:33:58 2011	(r223834)
 +++ stable/8/sys/netinet/ipfw/ip_fw_nat.c	Thu Jul  7 09:29:11 2011	(r223835)
 @@ -263,17 +263,27 @@ ipfw_nat(struct ip_fw_args *args, struct
  	else
  		retval = LibAliasOut(t->lib, c,
  			mcl->m_len + M_TRAILINGSPACE(mcl));
 -	if (retval == PKT_ALIAS_RESPOND) {
 -		m->m_flags |= M_SKIP_FIREWALL;
 -		retval = PKT_ALIAS_OK;
 -	}
 -	if (retval != PKT_ALIAS_OK &&
 -	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
 +
 +	/*
 +	 * We drop packet when:
 +	 * 1. libalias returns PKT_ALIAS_ERROR;
 +	 * 2. For incoming packets:
 +	 *	a) for unresolved fragments;
 +	 *	b) libalias returns PKT_ALIAS_IGNORED and
 +	 *		PKT_ALIAS_DENY_INCOMING flag is set.
 +	 */
 +	if (retval == PKT_ALIAS_ERROR ||
 +	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
 +	    (retval == PKT_ALIAS_IGNORED &&
 +	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
  		/* XXX - should i add some logging? */
  		m_free(mcl);
  		args->m = NULL;
  		return (IP_FW_DENY);
  	}
 +
 +	if (retval == PKT_ALIAS_RESPOND)
 +		m->m_flags |= M_SKIP_FIREWALL;
  	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
  
  	/*
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: ae 
State-Changed-When: Thu Jul 7 09:42:47 UTC 2011 
State-Changed-Why:  
Merged to stable/7 and stable/8. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122109: commit references a PR
Date: Thu,  7 Jul 2011 09:42:49 +0000 (UTC)

 Author: ae
 Date: Thu Jul  7 09:42:32 2011
 New Revision: 223837
 URL: http://svn.freebsd.org/changeset/base/223837
 
 Log:
   MFC r222806:
     Make a behaviour of the libalias based in-kernel NAT a bit closer to
     how natd(8) does work. natd(8) drops packets only when libalias returns
     PKT_ALIAS_IGNORED and "deny_incoming" option is set, but ipfw_nat
     always did drop packets that were not aliased, even if they should
     not be aliased and just are going through.
   
     PR:		kern/122109, kern/129093, kern/157379
     Submitted by:	Alexander V. Chernikov (previous version)
 
 Modified:
   stable/7/sys/netinet/ip_fw_nat.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/netinet/ip_fw_nat.c
 ==============================================================================
 --- stable/7/sys/netinet/ip_fw_nat.c	Thu Jul  7 09:32:43 2011	(r223836)
 +++ stable/7/sys/netinet/ip_fw_nat.c	Thu Jul  7 09:42:32 2011	(r223837)
 @@ -322,8 +322,18 @@ ipfw_nat(struct ip_fw_args *args, struct
  	else
  		retval = LibAliasOut(t->lib, c, 
  			mcl->m_len + M_TRAILINGSPACE(mcl));
 -	if (retval != PKT_ALIAS_OK &&
 -	    retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
 +	/*
 +	 * We drop packet when:
 +	 * 1. libalias returns PKT_ALIAS_ERROR;
 +	 * 2. For incoming packets:
 +	 *	a) for unresolved fragments;
 +	 *	b) libalias returns PKT_ALIAS_IGNORED and
 +	 *		PKT_ALIAS_DENY_INCOMING flag is set.
 +	 */
 +	if (retval == PKT_ALIAS_ERROR ||
 +	    (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
 +	    (retval == PKT_ALIAS_IGNORED &&
 +	    (t->lib->packetAliasMode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
  		/* XXX - should i add some logging? */
  		m_free(mcl);
  	badnat:
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
