From owner-freebsd-net Wed Oct 10 2:35:59 2001 Delivered-To: freebsd-net@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id AA3D237B407; Wed, 10 Oct 2001 02:35:55 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.138.251.Dial1.SanJose1.Level3.net [209.245.138.251]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA20290; Wed, 10 Oct 2001 02:35:52 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f9A9Zmx03199; Wed, 10 Oct 2001 02:35:48 -0700 (PDT) (envelope-from cjc) Date: Wed, 10 Oct 2001 02:35:47 -0700 From: "Crist J. Clark" To: Tim Burgess Cc: freebsd-gnats-submit@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: kern/31130: ipfw tee functionality causes malfunction and security hole Message-ID: <20011010023547.I387@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200110090920.f999K2X17814@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200110090920.f999K2X17814@freefall.freebsd.org>; from cristjc@earthlink.net on Tue, Oct 09, 2001 at 02:20:02AM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Oct 09, 2001 at 02:20:02AM -0700, Crist J. Clark wrote: [snip] > On the wire and the packets never get routed to the "real" 172.16.0.1. > Trying to figure out if, > > a) This is the expected behavior, but is poorly documented, or > b) Something is broken. > > I'm thinking (b), but still wading through src/sys/netinet to verify. Well, I see why this happens, but still not sure if it is supposed to happen. If we look at src/sys/netinet/ip_input.c, we see that all diverted or teed packets are accepted by the host as destined for itself, #ifdef IPDIVERT if (i != 0 && (i & IP_FW_PORT_DYNT_FLAG) == 0) { /* Divert or tee packet */ divert_info = i; goto ours; } #endif The packets are clearly going to be processed by the gateway. You seem to have already found this in the code snipped in your original PR, but I didn't notice your change. Please post changes to code as unified diffs. I now understand the 'fix' you were talking about. Have you actually built a kernel with your modifications? Does it seem to work? But packets _leaving_ the system seem to be processed as one would expect. That is, a copy is divert(4)ed and then the packet heads out onto to the wire. This apparent inconsistency is a bug since it is either unintended behavior or at least undocumented behavior. But the inconsistency gives you a temporary workaround. Instead of, 600 tee 8665 ip from any to any in Does, 600 tee 8665 ip from any to any out Work as you would expect? -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message