Merge r270022 from head:

pf_map_addr() can fail and in this case we should drop the packet, otherwise bad consequences including a routing loop can occur. Move pf_set_rt_ifp() earlier in state creation sequence and inline it, cutting some extra code. PR: 183997 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH
author: glebius <glebius@FreeBSD.org> 2014-08-25 15:49:41 +0000
committer: glebius <glebius@FreeBSD.org> 2014-08-25 15:49:41 +0000
commit: dbdbc550bee655a838b53b1473548aef324b33b6 (patch)
tree: 89e7e7a9bf9c478a54be77511cee8b7199e444f2 /sys/netpfil/pf/pf.h
parent: 59e5a700b1e4de81862182bd63cf0ce0e81172d1 (diff)
download: FreeBSD-src-dbdbc550bee655a838b53b1473548aef324b33b6.zip
FreeBSD-src-dbdbc550bee655a838b53b1473548aef324b33b6.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index 3ea66d3..630cd3f 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -125,7 +125,8 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 #define PFRES_MAXSTATES	12		/* State limit */
 #define PFRES_SRCLIMIT	13		/* Source node/conn limit */
 #define PFRES_SYNPROXY	14		/* SYN proxy */
-#define PFRES_MAX	15		/* total+1 */
+#define PFRES_MAPFAILED	15		/* pf_map_addr() failed */
+#define PFRES_MAX	16		/* total+1 */
 
 #define PFRES_NAMES { \
 	"match", \
@@ -143,6 +144,7 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 	"state-limit", \
 	"src-limit", \
 	"synproxy", \
+	"map-failed", \
 	NULL \
 }
author	glebius <glebius@FreeBSD.org>	2014-08-25 15:49:41 +0000
committer	glebius <glebius@FreeBSD.org>	2014-08-25 15:49:41 +0000
commit	dbdbc550bee655a838b53b1473548aef324b33b6 (patch)
tree	89e7e7a9bf9c478a54be77511cee8b7199e444f2 /sys/netpfil/pf/pf.h
parent	59e5a700b1e4de81862182bd63cf0ce0e81172d1 (diff)
download	FreeBSD-src-dbdbc550bee655a838b53b1473548aef324b33b6.zip FreeBSD-src-dbdbc550bee655a838b53b1473548aef324b33b6.tar.gz