[src/netbsd-1-6]: src/sys/netinet Patch (requested by jklos ticket #1564):

[cyber <cyber%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d32480e157f4
branches:  netbsd-1-6
changeset: 531024:d32480e157f4
user:      cyber <cyber%NetBSD.org@localhost>
date:      Wed Nov 26 09:41:12 2003 +0000

description:
Patch (requested by jklos ticket #1564):
Change to ip filter"s NAT code to keep excessive NAT entries from
causing the kernel to panic.

diffstat:

 sys/netinet/ip_nat.c |  10 ++++++++--
 sys/netinet/ip_nat.h |  22 ++++++++++++++++++++--
 2 files changed, 28 insertions(+), 4 deletions(-)

diffs (82 lines):

diff -r e047f4a29320 -r d32480e157f4 sys/netinet/ip_nat.c
--- a/sys/netinet/ip_nat.c      Wed Nov 26 09:26:19 2003 +0000
+++ b/sys/netinet/ip_nat.c      Wed Nov 26 09:41:12 2003 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_nat.c,v 1.48.4.4 2002/10/24 09:33:47 lukem Exp $    */
+/*     $NetBSD: ip_nat.c,v 1.48.4.5 2003/11/26 09:41:12 cyber Exp $    */
 
 /*
  * Copyright (C) 1995-2001 by Darren Reed.
@@ -112,7 +112,7 @@
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.48.4.4 2002/10/24 09:33:47 lukem Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.48.4.5 2003/11/26 09:41:12 cyber Exp $");
 #else
 static const char sccsid[] = "@(#)ip_nat.c     1.11 6/5/96 (C) 1995 Darren Reed";
 static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp";
@@ -122,6 +122,7 @@
 nat_t  **nat_table[2] = { NULL, NULL },
        *nat_instances = NULL;
 ipnat_t        *nat_list = NULL;
+u_int  ipf_nattable_max = NAT_TABLE_MAX;
 u_int  ipf_nattable_sz = NAT_TABLE_SZ;
 u_int  ipf_natrules_sz = NAT_SIZE;
 u_int  ipf_rdrrules_sz = RDR_SIZE;
@@ -1226,6 +1227,11 @@
        qif_t *qf = fin->fin_qif;
 #endif
 
+       if (nat_stats.ns_inuse >= ipf_nattable_max) {
+               nat_stats.ns_memfail++;
+               return NULL;
+       }
+
        nflags = flags & np->in_flags;
        if (flags & IPN_TCPUDP) {
                tcp = (tcphdr_t *)fin->fin_dp;
diff -r e047f4a29320 -r d32480e157f4 sys/netinet/ip_nat.h
--- a/sys/netinet/ip_nat.h      Wed Nov 26 09:26:19 2003 +0000
+++ b/sys/netinet/ip_nat.h      Wed Nov 26 09:41:12 2003 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_nat.h,v 1.26.4.1 2002/10/24 09:33:59 lukem Exp $    */
+/*     $NetBSD: ip_nat.h,v 1.26.4.2 2003/11/26 09:41:35 cyber Exp $    */
 
 /*
  * Copyright (C) 1995-2001 by Darren Reed.
@@ -47,15 +47,33 @@
 #ifndef        NAT_TABLE_SZ
 # define       NAT_TABLE_SZ    127
 #endif
+#ifndef NAT_TABLE_MAX
+/*
+ * This is newly introduced and for the sake of "least surprise", the numbers
+ * present aren't what we'd normally use for creating a proper hash table.
+ *
+ * As an example, NAT_TABLE_MAX should not be > 127 when LARGE_NAT is undefined
+ * but this is the default situation and introducing a limit as low as 100 for
+ * people may cause a lot of pain.  Similarly, other derived numbers are
+ * larger than the hash table size when in fact they should be smaller.
+ */
+# ifdef        NAT_TABLE_SZ
+#  define      NAT_TABLE_MAX   (NAT_TABLE_SZ * 2)
+# else
+#  define      NAT_TABLE_MAX   1027
+# endif
+#endif
 #ifdef LARGE_NAT
 #undef NAT_SIZE
 #undef RDR_SIZE
 #undef NAT_TABLE_SZ
-#undef HOSTMAP_SIZE    127
+#undef HOSTMAP_SIZE
+#undef NAT_TABLE_MAX
 #define        NAT_SIZE        2047
 #define        RDR_SIZE        2047
 #define        NAT_TABLE_SZ    16383
 #define        HOSTMAP_SIZE    8191
+#define        NAT_TABLE_MAX   31000
 #endif
 #ifndef        APR_LABELLEN
 #define        APR_LABELLEN    16