From owner-freebsd-stable  Sat Mar  3 18:30:29 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 957F837B71A
	for <stable@FreeBSD.ORG>; Sat,  3 Mar 2001 18:30:24 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id SAA00679;
	Sat, 3 Mar 2001 18:30:20 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id SAA58759;
	Sat, 3 Mar 2001 18:30:19 -0800 (PST)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id SAA25152;
	Sat, 3 Mar 2001 18:30:19 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <200103040230.SAA25152@salsa.gv.tsc.tdk.com>
Date: Sat, 3 Mar 2001 18:30:18 -0800
In-Reply-To: <20010303211958.A50525@palomine.net>
References: <20010303203733.A49750@palomine.net> <200103040211.SAA24825@salsa.gv.tsc.tdk.com> <20010303211958.A50525@palomine.net>
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: Chris Johnson <cjohnson@palomine.net>,
	Don Lewis <Don.Lewis@tsc.tdk.com>
Subject: Re: Did ipfw fwd just break?
Cc: stable@FreeBSD.ORG
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mar 3,  9:19pm, Chris Johnson wrote:
} Subject: Re: Did ipfw fwd just break?
} 
} Now, is it possible to protect myself from whatever evil check_interface is
} supposed to protect me from, while still doing my transparent proxying? Or =
} do I
} have to choose one or the other?

Try this patch.  You might still have to disable check_interface if
your host is multi-homed and net.inet.ip.forwarding is 0, but even
so, you should be better protected than with the older code.

Your bug report pointed out problem in the code, which I believe
I have corrected in this patch.  You can be the first to try it ;-)


Index: sys/netinet/ip_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.130.2.17
diff -u -u -r1.130.2.17 ip_input.c
--- sys/netinet/ip_input.c	2001/03/02 20:55:14	1.130.2.17
+++ sys/netinet/ip_input.c	2001/03/04 02:23:23
@@ -124,6 +124,12 @@
 	&ip_keepfaith,	0,
 	"Enable packet capture for FAITH IPv4->IPv6 translater daemon");
 
+/*
+ * XXX - Setting ip_checkinterface mostly implements the receive side of
+ * the Strong ES model described in RFC 1122, but since the routing table
+ * and transmit implementation do not implement the Strong ES model,
+ * setting this to 1 results in an odd hybrid.
+ */
 static int	ip_checkinterface = 1;
 SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW,
     &ip_checkinterface, 0, "Verify packet arrives on correct interface");
@@ -258,7 +264,7 @@
 	struct ip *ip;
 	struct ipq *fp;
 	struct in_ifaddr *ia;
-	int    i, hlen, mff;
+	int    i, hlen, mff, checkif;
 	u_short sum;
 	u_int16_t divert_cookie;		/* firewall cookie */
 	struct in_addr pkt_dst;
@@ -482,6 +488,31 @@
 	pkt_dst = ip_fw_fwd_addr == NULL ?
 	    ip->ip_dst : ip_fw_fwd_addr->sin_addr;
 
+	/*
+	 * Don't accept packets with a loopback destination address
+	 * unless they arrived via the loopback interface.
+	 */
+	if ((ntohl(ip->ip_dst.s_addr) & IN_CLASSA_NET) ==
+	    (IN_LOOPBACKNET << IN_CLASSA_NSHIFT) && 
+	    (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
+		m_freem(m);
+#ifdef IPFIREWALL_FORWARD
+		ip_fw_fwd_addr = NULL;
+#endif
+		return;
+	}
+
+	/*
+	 * Enable a consistency check between the destination address
+	 * and the arrival interface for a unicast packet (the RFC 1122
+	 * strong ES model) if IP forwarding is disabled and the packet
+	 * is not locally generated and the packet is not subject to
+	 * 'ipfw fwd'.
+	 */
+	checkif = ip_checkinterface && (ipforwarding == 0) && 
+	    ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) &&
+	    (ip_fw_fwd_addr == NULL);
+
 	TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) {
 #define	satosin(sa)	((struct sockaddr_in *)(sa))
 
@@ -490,17 +521,22 @@
 			goto ours;
 #endif
 		/*
-		 * check that the packet is either arriving from the
-		 * correct interface or is locally generated.
+		 * If the address matches, verify that the packet
+		 * arrived via the correct interface if checking is
+		 * enabled.
 		 */
-		if (ia->ia_ifp != m->m_pkthdr.rcvif && ip_checkinterface &&
-		     (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0)
-			continue;
-
-		if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst.s_addr)
+		if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst.s_addr && 
+		    (!checkif || ia->ia_ifp == m->m_pkthdr.rcvif))
 			goto ours;
-
-		if (ia->ia_ifp && ia->ia_ifp->if_flags & IFF_BROADCAST) {
+		/*
+		 * Only accept broadcast packets that arrive via the
+		 * matching interface.  Reception of forwarded directed
+		 * broadcasts would be handled via ip_forward() and
+		 * ether_output() with the loopback into the stack for
+		 * SIMPLEX interfaces handled by ether_output().
+		 */
+		if (ia->ia_ifp == m->m_pkthdr.rcvif &&
+		    ia->ia_ifp && ia->ia_ifp->if_flags & IFF_BROADCAST) {
 			if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
 			    pkt_dst.s_addr)
 				goto ours;

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message