From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 7 08:40:25 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C76F616A4CE for ; Mon, 7 Feb 2005 08:40:25 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C79943D4C for ; Mon, 7 Feb 2005 08:40:25 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j178ePeB042159 for ; Mon, 7 Feb 2005 08:40:25 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j178ePxX042158; Mon, 7 Feb 2005 08:40:25 GMT (envelope-from gnats) Resent-Date: Mon, 7 Feb 2005 08:40:25 GMT Resent-Message-Id: <200502070840.j178ePxX042158@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Martin Beran Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A9916A4CE for ; Mon, 7 Feb 2005 08:32:49 +0000 (GMT) Received: from debian.net-online.cz (debian.net-online.cz [82.117.134.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C802E43D58 for ; Mon, 7 Feb 2005 08:32:48 +0000 (GMT) (envelope-from mb@tns.cz) Received: from mb.tns.cz (unknown [82.117.134.24]) by debian.net-online.cz (Postfix) with ESMTP id BA946CDC029 for ; Mon, 7 Feb 2005 09:27:44 +0100 (CET) Received: by mb.tns.cz (Postfix, from userid 1205) id 702CB47; Mon, 7 Feb 2005 09:32:46 +0100 (CET) Message-Id: <20050207083246.702CB47@mb.tns.cz> Date: Mon, 7 Feb 2005 09:32:46 +0100 (CET) From: Martin Beran To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/77195: [patch] Ipfilter ioctl SIOCGNATL does not match active sessions properly X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin Beran List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Feb 2005 08:40:26 -0000 >Number: 77195 >Category: kern >Synopsis: [patch] Ipfilter ioctl SIOCGNATL does not match active sessions properly >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 07 08:40:25 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Martin Beran >Release: FreeBSD 5.3-RELEASE i386 >Organization: Trusted Network Solutions, a. s. >Environment: System: FreeBSD mb.tns.cz 5.3-RELEASE FreeBSD 5.3-RELEASE #1: Tue Dec 28 17:56:21 CET 2004 root@mb.tns.cz:/usr/obj/usr/src/sys/MB i386 >Description: Ipfilter provides ioctl SIOCGNATL which can be used to obtain the original destination IP address of a redirected connection. Matching with the table of active sessions is not performed properly. The type of protocol is ignored and port numbers are used as an input to the hash function, but records from the hash table are not checked whether they have the correct ports. As a result, ipfilter sometimes reports the original destination of a redirected connection incorrectly. I have tested this problem on 5.3-RELEASE, but according to the source code (/usr/src/sys/contrib/ipfilter/netinet/ip_nat.c, function nat_lookupredir), it is present also in 4.11-RELEASE and in CURRENT. >How-To-Repeat: Create a redirection rule, e.g., rdr lo0 127.0.0.1/32 port 53 -> 127.0.0.1 port 53538 udp Create many (several hundred) active sessions by sending UDP datagrams from localhost, various source ports, to localhost, port 53. Then start opening TCP connections from localhost, various source ports, to localhost, some arbitrarily chosen port (other than 53). For each connection, try to find the original destination by SIOCGNATL ioctl. From time to time, the ioctl responds that the destination is port 53. >Fix: --- /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c 2005/02/04 16:07:35 +++ /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c 2005/02/06 13:54:31 @@ -2239,7 +2239,20 @@ { nat_t *nat; fr_info_t fi; + int proto; + switch(np->nl_flags & IPN_TCPUDP) { + case IPN_TCP: + proto = IPPROTO_TCP; + break; + case IPN_UDP: + proto = IPPROTO_UDP; + break; + default: + proto = 0; + break; + } + bzero((char *)&fi, sizeof(fi)); fi.fin_data[0] = ntohs(np->nl_inport); fi.fin_data[1] = ntohs(np->nl_outport); @@ -2248,7 +2261,7 @@ * If nl_inip is non null, this is a lookup based on the real * ip address. Else, we use the fake. */ - if ((nat = nat_outlookup(&fi, np->nl_flags, 0, np->nl_inip, + if ((nat = nat_outlookup(&fi, np->nl_flags, proto, np->nl_inip, np->nl_outip, 0))) { np->nl_realip = nat->nat_outip; np->nl_realport = nat->nat_outport; >Release-Note: >Audit-Trail: >Unformatted: