DF-0572
Per-CPU cfg_nat pointer cached in shared firewall rule: cross-CPU RB-tree races -> corruption
Summary
nat_add_dispatch runs on every CPU via netisr_forwardmsg_all(:766) each CPU allocates own cfg_nat with own RB trees (per-CPU lockless design). check_nat(:158-168) caches ((ipfw_insn_nat*)cmd)->nat=nat a per-CPU pointer into shared rule instruction. After that every CPU uses whichever CPU populated cache first. Multiple CPUs concurrently unsynchronized RB_INSERT/RB_FIND/RB_REMOVE on one CPUs RB trees. Cleanup callout on another CPU may free states referenced by third. No lock anywhere. RB-tree corruption torn reads/writes infinite loops UAF. Fix: do not cache pointer look up per-CPU every time store index/ID resolve to current CPU nat_ctx.