pf: Fix error handling when pf_map_addr() fails
Needs ReviewPublic
Actions

Authored by vegeta_tuxpowered.net on Mon, Jun 9, 8:44 PM.

Tags

None

Referenced Files

	F122837026: D50763.id156732.diff
	Tue, Jul 8, 6:01 PM

	Unknown Object (File)
	Mon, Jul 7, 3:14 PM

	Unknown Object (File)
	Sun, Jul 6, 6:27 PM

	Unknown Object (File)
	Sun, Jul 6, 6:00 PM

	Unknown Object (File)
	Wed, Jul 2, 4:40 AM

	Unknown Object (File)
	Tue, Jul 1, 7:40 PM

	Unknown Object (File)
	Tue, Jul 1, 5:05 AM

	Unknown Object (File)
	Fri, Jun 27, 7:05 AM

Subscribers

Details

Reviewers

Summary

When pf_map_addr() fails, for example for a NAT pool, we expect packet will
not be forwarded. The error returned by pf_map_addr() has been ignored in
pf_map_addr_sn(), though, causing packets being forwarded without NAT
applied. Catch the error, return the error to caller, let the caller handle
error counters for route-to pools just like it does for NAT pools. Add
tests for NAT and route-to rules.

Improve logging by not hardcoding function name and use func
instead.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Mon, Jun 9, 8:44 PM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptMon, Jun 9, 8:44 PM

vegeta_tuxpowered.net requested review of this revision.Mon, Jun 9, 8:44 PM

kp added inline comments.Tue, Jun 10, 5:12 PM

sys/netpfil/pf/pf_lb.c
813	We probably want that error log being PF_DEBUG_NOISY, or at least some increased verbosity log level.
tests/sys/netpfil/pf/nat.sh
803	That might be better done with `atf_check -o "match:map-failed\s+1\s+"` or something like it.