Identify the return value (rval) that led to the IPv4 NAT failure

in ipf_nat_checkout() and report it in the frb_natv4out and frb_natv4in dtrace probes. This is currently being used to diagnose NAT failures in PR/208566. It's rather handy so this commit makes it available for future diagnosis and debugging efforts. PR: 208566 MFC after: 1 week
2018-08-10 00:04:32 +00:00 · 2018-08-10 00:04:32 +00:00 · e6191e11f0
commit e6191e11f0
parent b534d57f63
1 changed files with 22 additions and 6 deletions
--- a/sys/contrib/ipfilter/netinet/ip_nat.c
+++ b/sys/contrib/ipfilter/netinet/ip_nat.c
@ -4951,7 +4951,7 @@ ipf_nat_checkout(fin, passp)
 				case 0 :
 					continue;
 				case -1 :
-					rval = -1;
+					rval = -3;
 					goto outmatchfail;
 				case 1 :
 				default :
@ -4996,7 +4996,7 @@ ipf_nat_checkout(fin, passp)
 				natfailed = 0;
 				break;
 			}
-			natfailed = -1;
+			natfailed = -2;
 		}
 		if ((np == NULL) && (nmsk < softn->ipf_nat_map_max)) {
 			nmsk++;
@ -5021,15 +5021,23 @@ ipf_nat_checkout(fin, passp)

 	switch (rval)
 	{
+	case -3 :
+		/* ipf_nat_match() failure */
+		/* FALLTHROUGH */
+	case -2 :
+		/* retry_roundrobin loop failure */
+		/* FALLTHROUGH */
 	case -1 :
+		/* proxy failure detected by ipf_nat_out() */
 		if (passp != NULL) {
-			DT1(frb_natv4out, fr_info_t *, fin);
+			DT2(frb_natv4out, fr_info_t *, fin, int, rval);
 			NBUMPSIDED(1, ns_drop);
 			*passp = FR_BLOCK;
 			fin->fin_reason = FRB_NATV4;
 		}
 		fin->fin_flx |= FI_BADNAT;
 		NBUMPSIDED(1, ns_badnat);
+		rval = -1;	/* We only return -1 on error. */
 		break;
 	case 0 :
 		NBUMPSIDE(1, ns_ignored);
@ -5437,7 +5445,7 @@ ipf_nat_checkin(fin, passp)
 				case 0 :
 					continue;
 				case -1 :
-					rval = -1;
+					rval = -3;
 					goto inmatchfail;
 				case 1 :
 				default :
@ -5484,7 +5492,7 @@ ipf_nat_checkin(fin, passp)
 				natfailed = 0;
 				break;
 			}
-			natfailed = -1;
+			natfailed = -2;
 		}
 		if ((np == NULL) && (rmsk < softn->ipf_nat_rdr_max)) {
 			rmsk++;
@ -5509,15 +5517,23 @@ ipf_nat_checkin(fin, passp)

 	switch (rval)
 	{
+	case -3 :
+		/* ipf_nat_match() failure */
+		/* FALLTHROUGH */
+	case -2 :
+		/* retry_roundrobin loop failure */
+		/* FALLTHROUGH */
 	case -1 :
+		/* proxy failure detected by ipf_nat_out() */
 		if (passp != NULL) {
-			DT1(frb_natv4in, fr_info_t *, fin);
+			DT2(frb_natv4in, fr_info_t *, fin, int, rval);
 			NBUMPSIDED(0, ns_drop);
 			*passp = FR_BLOCK;
 			fin->fin_reason = FRB_NATV4;
 		}
 		fin->fin_flx |= FI_BADNAT;
 		NBUMPSIDED(0, ns_badnat);
+		rval = -1;	/* We only return -1 on error. */
 		break;
 	case 0 :
 		NBUMPSIDE(0, ns_ignored);