From owner-freebsd-bugs  Mon Mar  1  6:50:17 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 835AF15028
	for <freebsd-bugs@FreeBSD.org>; Mon,  1 Mar 1999 06:50:16 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.2/8.9.2) id GAA42438;
	Mon, 1 Mar 1999 06:50:00 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from mocha.cs.iastate.edu (mocha.cs.iastate.edu [129.186.3.34])
	by hub.freebsd.org (Postfix) with ESMTP id 90CB61538C
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  1 Mar 1999 06:47:38 -0800 (PST)
	(envelope-from ghelmer@mocha.cs.iastate.edu)
Received: (from ghelmer@localhost)
	by mocha.cs.iastate.edu (8.9.3/8.9.1) id IAA05041;
	Mon, 1 Mar 1999 08:47:18 -0600 (CST)
	(envelope-from ghelmer)
Message-Id: <199903011447.IAA05041@mocha.cs.iastate.edu>
Date: Mon, 1 Mar 1999 08:47:18 -0600 (CST)
From: Guy Helmer <ghelmer@mocha.cs.iastate.edu>
Reply-To: ghelmer@mocha.cs.iastate.edu
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/10324: ip_fw allows divert rules even though not built with IPDIVERT option
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         10324
>Category:       kern
>Synopsis:       ip_fw allows divert rules even though not built with IPDIVERT option
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar  1 06:50:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Guy Helmer
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
ISU Dept of Computer Science
>Environment:

	All kernels with IPFIREWALL or ip_fw lkm/kld module

>Description:

	sys/netinet/ip_fw.c will allow divert rules to be defined
	without having been compiled with the IPDIVERT option.  If
	not built with IPDIVERT option, ip_fw should complain about
	divert rules.

>How-To-Repeat:

	Boot with a GENERIC kernel and load the ip_fw module, or boot
	a kernel built with IPFIREWALL option but not with IPDIVERT option.
	Then, install an ipfw divert rule and try to use natd.  "ipfw show"
	will show that packets are matching the divert rule, but "natd -v"
	will not show any packets being diverted and "netstat -a" will
	not show the divert socket.

>Fix:
	
	A fix would be for ip_fw.c to disallow divert rules if not
	built with the IPDIVERT option:

--- ip_fw.c.ORIG	Tue Feb 16 08:03:11 1999
+++ ip_fw.c	Mon Mar  1 08:45:45 1999
@@ -1103,6 +1103,11 @@
 		}
 		break;
 	case IP_FW_F_DIVERT:		/* Diverting to port zero is invalid */
+#ifndef IPDIVERT
+		dprintf(("divert disabled\n"));
+		return (EINVAL);
+		/* #else fall through */
+#endif
 	case IP_FW_F_PIPE:              /* piping through 0 is invalid */
 	case IP_FW_F_TEE:
 		if (frwl->fw_divert_port == 0) {

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message