DF-0571
kernel panic on any non-TCP/UDP/ICMP packet hitting NAT rule
Summary
Both switch statements in ip_fw3_nat(): default: panic("ipfw3: unsupported proto %u",ip->ip_p)(:219/:254). Any IP packet non-TCP/UDP/ICMP (SCTP 132 GRE 47 ESP 50 UDPLite 136 IGMP) matching NAT rule crashes kernel. Outbound path(:254) has no alias gate before switch so any internal host emitting such protocol through NAT rule panics router. Network input must never panic on adversarial input. Fix: goto oops (IP_FW_DENY) instead of panic.