MFC:

Fix 3 issues relating to the use of "auth" rules in IPFilter, from sourceforge:
1837014 Kernel panics after authentication of an outgoing packet
1836992 Potential bugs in packet auth code (w/patches)
1836967 Kernel panic when using auth rule with keep state
and another reported only to FreeBSD by Andiry (see PR)

PR:		kern/118251
Submitted by:	Andriy Syrovenko <andriys@gmail.com>
Reviewed by:	darrenr
Approved by:	re

sys/contrib/ipfilter/netinet/fil.c

@@ -17,7 +17,7 @@
 #include <sys/time.h>
 #if defined(__NetBSD__)
 # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
-#  if (__NetBSD_Version__ < 399001400)
+#  if (__NetBSD_Version__ < 301000000)
 #   include "opt_ipfilter_log.h"
 #  else
 #   include "opt_ipfilter.h"
@@ -2307,8 +2307,7 @@ u_32_t *passp;
 	if (FR_ISAUTH(pass)) {
 		if (fr_newauth(fin->fin_m, fin) != 0) {
 #ifdef	_KERNEL
-			if ((pass & FR_RETMASK) == 0)
-				fin->fin_m = *fin->fin_mp = NULL;
+			fin->fin_m = *fin->fin_mp = NULL;
 #else
 			;
 #endif
@@ -2600,7 +2599,8 @@ int out;
 	 * Here rather than fr_firewall because fr_checkauth may decide
 	 * to return a packet for "keep state"
 	 */
-	if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
+	if ((pass & FR_KEEPSTATE) && (fin->fin_m != NULL) &&
+	    !(fin->fin_flx & FI_STATE)) {
 		if (fr_addstate(fin, NULL, 0) != NULL) {
 			ATOMIC_INCL(frstats[out].fr_ads);
 		} else {

sys/contrib/ipfilter/netinet/ip_auth.c

@@ -303,7 +303,7 @@ u_32_t *passp;
 
 /* ------------------------------------------------------------------------ */
 /* Function:    fr_newauth                                                  */
-/* Returns:     int - 0 == success, else error                              */
+/* Returns:     int - 1 == success, 0 = did not put packet on auth queue    */
 /* Parameters:  m(I)   - pointer to mb_t with packet in it                  */
 /*              fin(I) - pointer to packet information                      */
 /*                                                                          */
@@ -339,10 +339,10 @@ fr_info_t *fin;
 	i = fr_authend++;
 	if (fr_authend == fr_authsize)
 		fr_authend = 0;
-	RWLOCK_EXIT(&ipf_auth);
-
 	fra = fr_auth + i;
 	fra->fra_index = i;
+	RWLOCK_EXIT(&ipf_auth);
+
 	if (fin->fin_fr != NULL)
 		fra->fra_pass = fin->fin_fr->fr_flags;
 	else
@@ -903,16 +903,6 @@ char *data;
 	}
 	RWLOCK_EXIT(&ipf_auth);
 
-	/*
-	 * We exit ipf_global here because a program that enters in
-	 * here will have a lock on it and goto sleep having this lock.
-	 * If someone were to do an 'ipf -D' the system would then
-	 * deadlock.  The catch with releasing it here is that the
-	 * caller of this function expects it to be held when we
-	 * return so we have to reacquire it in here.
-	 */
-	RWLOCK_EXIT(&ipf_global);
-
 	MUTEX_ENTER(&ipf_authmx);
 #ifdef	_KERNEL
 # if	SOLARIS
@@ -939,7 +929,6 @@ char *data;
 # endif /* SOLARIS */
 #endif
 	MUTEX_EXIT(&ipf_authmx);
-	READ_ENTER(&ipf_global);
 	if (error == 0)
 		goto fr_authioctlloop;
 	return error;
@@ -1027,6 +1016,7 @@ char *data;
 	 * not being processed, make sure we advance to the next one.
 	 */
 	if (error == ENOBUFS) {
+		WRITE_ENTER(&ipf_auth);
 		fr_authused--;
 		fra->fra_index = -1;
 		fra->fra_pass = 0;
@@ -1044,6 +1034,7 @@ char *data;
 				fr_authstart = fr_authend = 0;
 			}
 		}
+		RWLOCK_EXIT(&ipf_auth);
 	}
 #endif /* _KERNEL */
 	SPL_X(s);

sys/contrib/ipfilter/netinet/ip_fil_freebsd.c

@@ -1518,6 +1518,8 @@ mb_t *m;
 		}
 #endif
 	} else {
+		fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len);
+		fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off);
 #if (__FreeBSD_version >= 470102)
 		error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
 #else