should ip_natout return -1 when it run out of port to create nat

Hi,

On FreeBSD 4.7 and 4.9, ip_natout function return 0 when it can't
allocate a TCP/UDP port for an outbound map.
This make it confusing as ip_natout return 0 also means there is no
ipnat rule to match. This cause internal IP to leak on the external side
when port runs out.

For example:

map xl0 from 10.10.0.0/16 to 172.31.2.144 port = 23 -> 172.31.2.148/32
portmap tcp 30000:30010
pass in log quick on tl0 proto tcp from 10.10.0.0/16 to 172.31.2.144
port = 23 flags S keep state

There only 10 ports availabe for map, intentionally to illustrate the
problem. when 11 telnet session passes through the ipfilter, the 11th
session goes out with un-mapped source IP.

I suggest the follow modification to ip_natout.c


void *sifp;
u_32_t iph;
nat_t *nat;
+ int cant_nat = 0;
+

if (nat_list == NULL || (fr_nat_lock))
return 0;
***************
*** 2431,2436 ****
--- 2439,2448 ----
np->in_hits++;
break;
}
+ /* if can't nat, set a flag to dump the packet
+ did the fil.c listen? */
+ else
+ cant_nat = 1;
}
if ((np == NULL) && (i > 0)) {
do {
***************
*** 2552,2557 ****
--- 2564,2574 ----
}
RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
fin->fin_ifp = sifp;
+ /* return -1 if a nat rule was matched, but no resource
+ to create nat state */
+ if (cant_nat)
+ return -1;
+ else
return 0;
}


Anyone know if the behavior has changed in 4.x release?

Regards
Ming