From owner-freebsd-bugs@FreeBSD.ORG  Mon Sep  3 14:50:05 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6D4A01065670
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  3 Sep 2012 14:50:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 3DF018FC0C
	for <freebsd-bugs@hub.freebsd.org>;
	Mon,  3 Sep 2012 14:50:05 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q83Eo5E3061180
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 3 Sep 2012 14:50:05 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q83Eo5f0061172;
	Mon, 3 Sep 2012 14:50:05 GMT (envelope-from gnats)
Resent-Date: Mon, 3 Sep 2012 14:50:05 GMT
Resent-Message-Id: <201209031450.q83Eo5f0061172@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Konstantin Kukushkin <dark@rambler-co.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A5BF91065675
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  3 Sep 2012 14:49:37 +0000 (UTC)
	(envelope-from dark@vpn1-m1.rambler.ru)
Received: from vpn1-m1.rambler.ru (vpn1-m1.rambler.ru [81.19.94.147])
	by mx1.freebsd.org (Postfix) with ESMTP id 2515F8FC15
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  3 Sep 2012 14:49:36 +0000 (UTC)
Received: from vpn1-m1.rambler.ru (localhost [127.0.0.1])
	by vpn1-m1.rambler.ru (8.14.5/8.14.5) with ESMTP id q7VC79d9042801;
	Fri, 31 Aug 2012 16:07:09 +0400 (MSK)
	(envelope-from dark@vpn1-m1.rambler.ru)
Received: (from dark@localhost)
	by vpn1-m1.rambler.ru (8.14.5/8.14.5/Submit) id q7VC790M042800;
	Fri, 31 Aug 2012 16:07:09 +0400 (MSK) (envelope-from dark)
Message-Id: <201208311207.q7VC790M042800@vpn1-m1.rambler.ru>
Date: Fri, 31 Aug 2012 16:07:09 +0400 (MSK)
From: Konstantin Kukushkin <dark@rambler-co.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: glebius@rambler-co.ru
Subject: bin/171279: bsnmpd can reply from other address
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Konstantin Kukushkin <dark@rambler-co.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Sep 2012 14:50:05 -0000


>Number:         171279
>Category:       bin
>Synopsis:       bsnmpd can reply from other address
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 03 14:50:04 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Konstantin Kukushkin
>Release:        FreeBSD 9.0-STABLE amd64
>Organization:
Rambler Internet Holding, LLC
>Environment:
System: FreeBSD vpn1-m1.rambler.ru 9.0-STABLE FreeBSD 9.0-STABLE #2 r231584M: Mon Feb 13 18:24:25 MSK 2012 glebius@vpn1-m1.rambler.ru:/usr/obj/usr/home/glebius/9/sys/VPN amd64

>Description:
	bsnmpd by default listen INADDR_ANY, and on multihomed system daemon can receive queries to some addresses.
When replying to query bsdnmp simply use sendto(), so OS build response datagram with source ip nearest to sender, which can be not equal to destination ip on source query.
This is ok for net-snmp utils like snmpget & snmpwalk, but this can't work with statefull firewalls like ipfw(4) or pf(4).

Please fix it.

>How-To-Repeat:
I used multihomed host vpn1-m1:
[pts/2] dark@vpn1-m1:~> ( ifconfig bge0 inet ; ifconfig lo0 inet )|grep inet
        inet 81.19.94.147 netmask 0xfffffff8 broadcast 81.19.94.151
        inet 127.0.0.1 netmask 0xff000000 
        inet 81.19.64.133 netmask 0xffffffff 
        inet 81.19.79.1 netmask 0xffffffff 
with ``onestarted`` bsnmpd:
[pts/2] dark@vpn1-m1:~> sudo /etc/rc.d/bsnmpd onestart
Starting bsnmpd.
[pts/2] dark@vpn1-m1:~> sockstat | grep 'bsnmpd.*161'
root     bsnmpd     38365 6  udp4   *:161                 *:*

and other host for query to address, routed to vpn1-m1:
[pts/53] dark@dark:~> ifconfig re0 inet|grep inet
        inet 81.19.64.109 netmask 0xffffffe0 broadcast 81.19.64.127

[pts/53] dark@dark:~> snmpget -v 2c -c public 81.19.64.133 sysDescr.0
Timeout: No Response from 81.19.64.133.

tcpdump on multihomed host shows that bsnmpd reply from source other that query destination:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:17:16.007788 IP 81.19.64.109.60689 > 81.19.64.133.161:  GetRequest(28)  .1.3.6.1.2.1.1.1.0
15:17:16.008005 IP 81.19.94.147.161 > 81.19.64.109.60689:  GetResponse(76)  .1.3.6.1.2.1.1.1.0="vpn1-m1.rambler.ru 4212937669 FreeBSD 9.0-STABLE"
>Fix:

Other udp servers like named try to create listen socket bind()'ed on adresses from getifaddrs() output, not INADDR_ANY. While daemon receiving query on bind()'ed socket it knows on which address query was sent, and can reply right.
Unfortunately I don't know any other mechanism getting datagram destination address in FreeBSD, in Linux there is 'IP_PKTINFO' socket option for this.
>Release-Note:
>Audit-Trail:
>Unformatted: