summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/contrib/ipfilter/netinet/ip_nat.c28
1 files changed, 22 insertions, 6 deletions
diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c
index 1b148fbaa9dc..58d4c7e13b65 100644
--- a/sys/contrib/ipfilter/netinet/ip_nat.c
+++ b/sys/contrib/ipfilter/netinet/ip_nat.c
@@ -4951,7 +4951,7 @@ retry_roundrobin:
case 0 :
continue;
case -1 :
- rval = -1;
+ rval = -3;
goto outmatchfail;
case 1 :
default :
@@ -4996,7 +4996,7 @@ retry_roundrobin:
natfailed = 0;
break;
}
- natfailed = -1;
+ natfailed = -2;
}
if ((np == NULL) && (nmsk < softn->ipf_nat_map_max)) {
nmsk++;
@@ -5021,15 +5021,23 @@ outmatchfail:
switch (rval)
{
+ case -3 :
+ /* ipf_nat_match() failure */
+ /* FALLTHROUGH */
+ case -2 :
+ /* retry_roundrobin loop failure */
+ /* FALLTHROUGH */
case -1 :
+ /* proxy failure detected by ipf_nat_out() */
if (passp != NULL) {
- DT1(frb_natv4out, fr_info_t *, fin);
+ DT2(frb_natv4out, fr_info_t *, fin, int, rval);
NBUMPSIDED(1, ns_drop);
*passp = FR_BLOCK;
fin->fin_reason = FRB_NATV4;
}
fin->fin_flx |= FI_BADNAT;
NBUMPSIDED(1, ns_badnat);
+ rval = -1; /* We only return -1 on error. */
break;
case 0 :
NBUMPSIDE(1, ns_ignored);
@@ -5437,7 +5445,7 @@ retry_roundrobin:
case 0 :
continue;
case -1 :
- rval = -1;
+ rval = -3;
goto inmatchfail;
case 1 :
default :
@@ -5484,7 +5492,7 @@ retry_roundrobin:
natfailed = 0;
break;
}
- natfailed = -1;
+ natfailed = -2;
}
if ((np == NULL) && (rmsk < softn->ipf_nat_rdr_max)) {
rmsk++;
@@ -5509,15 +5517,23 @@ inmatchfail:
switch (rval)
{
+ case -3 :
+ /* ipf_nat_match() failure */
+ /* FALLTHROUGH */
+ case -2 :
+ /* retry_roundrobin loop failure */
+ /* FALLTHROUGH */
case -1 :
+ /* proxy failure detected by ipf_nat_out() */
if (passp != NULL) {
- DT1(frb_natv4in, fr_info_t *, fin);
+ DT2(frb_natv4in, fr_info_t *, fin, int, rval);
NBUMPSIDED(0, ns_drop);
*passp = FR_BLOCK;
fin->fin_reason = FRB_NATV4;
}
fin->fin_flx |= FI_BADNAT;
NBUMPSIDED(0, ns_badnat);
+ rval = -1; /* We only return -1 on error. */
break;
case 0 :
NBUMPSIDE(0, ns_ignored);