diff options
Diffstat (limited to 'sys/netgraph')
| -rw-r--r-- | sys/netgraph/ng_nat.c | 20 | ||||
| -rw-r--r-- | sys/netgraph/ng_pipe.c | 31 |
2 files changed, 47 insertions, 4 deletions
diff --git a/sys/netgraph/ng_nat.c b/sys/netgraph/ng_nat.c index 84da500..59818d9 100644 --- a/sys/netgraph/ng_nat.c +++ b/sys/netgraph/ng_nat.c @@ -43,6 +43,7 @@ #include <machine/in_cksum.h> #include <netinet/libalias/alias.h> +#include <netinet/libalias/alias_local.h> #include <netgraph/ng_message.h> #include <netgraph/ng_parse.h> @@ -696,22 +697,35 @@ ng_nat_rcvdata(hook_p hook, item_p item ) KASSERT(m->m_pkthdr.len == ntohs(ip->ip_len), ("ng_nat: ip_len != m_pkthdr.len")); + /* + * We drop packet when: + * 1. libalias returns PKT_ALIAS_ERROR; + * 2. For incoming packets: + * a) for unresolved fragments; + * b) libalias returns PKT_ALIAS_IGNORED and + * PKT_ALIAS_DENY_INCOMING flag is set. + */ if (hook == priv->in) { rval = LibAliasIn(priv->lib, c, m->m_len + M_TRAILINGSPACE(m)); - if (rval != PKT_ALIAS_OK && - rval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) { + if (rval == PKT_ALIAS_ERROR || + rval == PKT_ALIAS_UNRESOLVED_FRAGMENT || + (rval == PKT_ALIAS_IGNORED && + (priv->lib->packetAliasMode & + PKT_ALIAS_DENY_INCOMING) != 0)) { NG_FREE_ITEM(item); return (EINVAL); } } else if (hook == priv->out) { rval = LibAliasOut(priv->lib, c, m->m_len + M_TRAILINGSPACE(m)); - if (rval != PKT_ALIAS_OK) { + if (rval == PKT_ALIAS_ERROR) { NG_FREE_ITEM(item); return (EINVAL); } } else panic("ng_nat: unknown hook!\n"); + if (rval == PKT_ALIAS_RESPOND) + m->m_flags |= M_SKIP_FIREWALL; m->m_pkthdr.len = m->m_len = ntohs(ip->ip_len); if ((ip->ip_off & htons(IP_OFFMASK)) == 0 && diff --git a/sys/netgraph/ng_pipe.c b/sys/netgraph/ng_pipe.c index b5bab3c..11ea814 100644 --- a/sys/netgraph/ng_pipe.c +++ b/sys/netgraph/ng_pipe.c @@ -298,11 +298,12 @@ ngp_rcvmsg(node_p node, item_p item, hook_p lasthook) { const priv_p priv = NG_NODE_PRIVATE(node); struct ng_mesg *resp = NULL; - struct ng_mesg *msg; + struct ng_mesg *msg, *flow_msg; struct ng_pipe_stats *stats; struct ng_pipe_run *run; struct ng_pipe_cfg *cfg; int error = 0; + int prev_down, now_down, cmd; NGI_GET_MSG(item, msg); switch (msg->header.typecookie) { @@ -403,10 +404,38 @@ ngp_rcvmsg(node_p node, item_p item, hook_p lasthook) cfg->header_offset < 64) priv->header_offset = cfg->header_offset; + prev_down = priv->upper.cfg.ber == 1 || + priv->lower.cfg.ber == 1; parse_cfg(&priv->upper.cfg, &cfg->downstream, &priv->upper, priv); parse_cfg(&priv->lower.cfg, &cfg->upstream, &priv->lower, priv); + now_down = priv->upper.cfg.ber == 1 || + priv->lower.cfg.ber == 1; + + if (prev_down != now_down) { + if (now_down) + cmd = NGM_LINK_IS_DOWN; + else + cmd = NGM_LINK_IS_UP; + + if (priv->lower.hook != NULL) { + NG_MKMESSAGE(flow_msg, NGM_FLOW_COOKIE, + cmd, 0, M_NOWAIT); + if (flow_msg != NULL) + NG_SEND_MSG_HOOK(error, node, + flow_msg, priv->lower.hook, + 0); + } + if (priv->upper.hook != NULL) { + NG_MKMESSAGE(flow_msg, NGM_FLOW_COOKIE, + cmd, 0, M_NOWAIT); + if (flow_msg != NULL) + NG_SEND_MSG_HOOK(error, node, + flow_msg, priv->upper.hook, + 0); + } + } break; default: error = EINVAL; |
