Date: Fri, 31 Aug 2012 16:07:09 +0400 (MSK) From: Konstantin Kukushkin <dark@rambler-co.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: glebius@rambler-co.ru Subject: bin/171279: bsnmpd can reply from other address Message-ID: <201208311207.q7VC790M042800@vpn1-m1.rambler.ru> Resent-Message-ID: <201209031450.q83Eo5f0061172@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 171279
>Category: bin
>Synopsis: bsnmpd can reply from other address
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 03 14:50:04 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Konstantin Kukushkin
>Release: FreeBSD 9.0-STABLE amd64
>Organization:
Rambler Internet Holding, LLC
>Environment:
System: FreeBSD vpn1-m1.rambler.ru 9.0-STABLE FreeBSD 9.0-STABLE #2 r231584M: Mon Feb 13 18:24:25 MSK 2012 glebius@vpn1-m1.rambler.ru:/usr/obj/usr/home/glebius/9/sys/VPN amd64
>Description:
bsnmpd by default listen INADDR_ANY, and on multihomed system daemon can receive queries to some addresses.
When replying to query bsdnmp simply use sendto(), so OS build response datagram with source ip nearest to sender, which can be not equal to destination ip on source query.
This is ok for net-snmp utils like snmpget & snmpwalk, but this can't work with statefull firewalls like ipfw(4) or pf(4).
Please fix it.
>How-To-Repeat:
I used multihomed host vpn1-m1:
[pts/2] dark@vpn1-m1:~> ( ifconfig bge0 inet ; ifconfig lo0 inet )|grep inet
inet 81.19.94.147 netmask 0xfffffff8 broadcast 81.19.94.151
inet 127.0.0.1 netmask 0xff000000
inet 81.19.64.133 netmask 0xffffffff
inet 81.19.79.1 netmask 0xffffffff
with ``onestarted`` bsnmpd:
[pts/2] dark@vpn1-m1:~> sudo /etc/rc.d/bsnmpd onestart
Starting bsnmpd.
[pts/2] dark@vpn1-m1:~> sockstat | grep 'bsnmpd.*161'
root bsnmpd 38365 6 udp4 *:161 *:*
and other host for query to address, routed to vpn1-m1:
[pts/53] dark@dark:~> ifconfig re0 inet|grep inet
inet 81.19.64.109 netmask 0xffffffe0 broadcast 81.19.64.127
[pts/53] dark@dark:~> snmpget -v 2c -c public 81.19.64.133 sysDescr.0
Timeout: No Response from 81.19.64.133.
tcpdump on multihomed host shows that bsnmpd reply from source other that query destination:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:17:16.007788 IP 81.19.64.109.60689 > 81.19.64.133.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
15:17:16.008005 IP 81.19.94.147.161 > 81.19.64.109.60689: GetResponse(76) .1.3.6.1.2.1.1.1.0="vpn1-m1.rambler.ru 4212937669 FreeBSD 9.0-STABLE"
>Fix:
Other udp servers like named try to create listen socket bind()'ed on adresses from getifaddrs() output, not INADDR_ANY. While daemon receiving query on bind()'ed socket it knows on which address query was sent, and can reply right.
Unfortunately I don't know any other mechanism getting datagram destination address in FreeBSD, in Linux there is 'IP_PKTINFO' socket option for this.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201208311207.q7VC790M042800>