From 683a58eeb9ce3dcfbaa613f85e36687d11e75d26 Mon Sep 17 00:00:00 2001
From: Cy Schubert <cy@FreeBSD.org>
Date: Sun, 19 Aug 2018 13:45:03 +0000
Subject: [PATCH] The bucket index is subtracted by one at lines 2304 and 2314.
  When 0 it becomes -1, except these are unsigned integers, so they become
 very large numbers. Thus are always larger than the maximum bucket; the hash
 table insertion fails causing NAT to fail.

This commit ensures that if the index is already zero it is not reduced
prior to insertion into the hash table.

PR:		208566
---
 sys/contrib/ipfilter/netinet/ip_nat.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c
index 815182607f8c..7c3e0c9fcee4 100644
--- a/sys/contrib/ipfilter/netinet/ip_nat.c
+++ b/sys/contrib/ipfilter/netinet/ip_nat.c
@@ -2304,14 +2304,16 @@ ipf_nat_delete(softc, nat, logtype)
 
 		bkt = nat->nat_hv[0] % softn->ipf_nat_table_sz;
 		nss = &softn->ipf_nat_stats.ns_side[0];
-		nss->ns_bucketlen[bkt]--;
+		if (nss->ns_bucketlen[bkt] > 0)
+			nss->ns_bucketlen[bkt]--;
 		if (nss->ns_bucketlen[bkt] == 0) {
 			nss->ns_inuse--;
 		}
 
 		bkt = nat->nat_hv[1] % softn->ipf_nat_table_sz;
 		nss = &softn->ipf_nat_stats.ns_side[1];
-		nss->ns_bucketlen[bkt]--;
+		if (nss->ns_bucketlen[bkt] > 0)
+			nss->ns_bucketlen[bkt]--;
 		if (nss->ns_bucketlen[bkt] == 0) {
 			nss->ns_inuse--;
 		}