Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Mar 1999 08:47:18 -0600 (CST)
From:      Guy Helmer <ghelmer@mocha.cs.iastate.edu>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/10324: ip_fw allows divert rules even though not built with IPDIVERT option
Message-ID:  <199903011447.IAA05041@mocha.cs.iastate.edu>
next in thread | raw e-mail | index | archive | help 

>Number:         10324
>Category:       kern
>Synopsis:       ip_fw allows divert rules even though not built with IPDIVERT option
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar  1 06:50:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Guy Helmer
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
ISU Dept of Computer Science
>Environment:

	All kernels with IPFIREWALL or ip_fw lkm/kld module

>Description:

	sys/netinet/ip_fw.c will allow divert rules to be defined
	without having been compiled with the IPDIVERT option.  If
	not built with IPDIVERT option, ip_fw should complain about
	divert rules.

>How-To-Repeat:

	Boot with a GENERIC kernel and load the ip_fw module, or boot
	a kernel built with IPFIREWALL option but not with IPDIVERT option.
	Then, install an ipfw divert rule and try to use natd.  "ipfw show"
	will show that packets are matching the divert rule, but "natd -v"
	will not show any packets being diverted and "netstat -a" will
	not show the divert socket.

>Fix:
	
	A fix would be for ip_fw.c to disallow divert rules if not
	built with the IPDIVERT option:

--- ip_fw.c.ORIG	Tue Feb 16 08:03:11 1999
+++ ip_fw.c	Mon Mar  1 08:45:45 1999
@@ -1103,6 +1103,11 @@
 		}
 		break;
 	case IP_FW_F_DIVERT:		/* Diverting to port zero is invalid */
+#ifndef IPDIVERT
+		dprintf(("divert disabled\n"));
+		return (EINVAL);
+		/* #else fall through */
+#endif
 	case IP_FW_F_PIPE:              /* piping through 0 is invalid */
 	case IP_FW_F_TEE:
 		if (frwl->fw_divert_port == 0) {

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903011447.IAA05041>