From owner-freebsd-pf@FreeBSD.ORG Fri Aug 5 11:06:25 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6401916A420 for ; Fri, 5 Aug 2005 11:06:25 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from f37.mail.ru (f37.mail.ru [194.67.57.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CEC143D4C for ; Fri, 5 Aug 2005 11:06:24 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from mail by f37.mail.ru with local id 1E101r-000NGc-00; Fri, 05 Aug 2005 15:06:19 +0400 Received: from [194.190.210.150] by win.mail.ru with HTTP; Fri, 05 Aug 2005 15:06:19 +0400 From: Boris Polevoy To: pf@benzedrine.cx Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 192.168.1.8 via proxy [194.190.210.150] Date: Fri, 05 Aug 2005 15:06:19 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Cc: freebsd-pf@freebsd.org Subject: PF ioctl(DIOCADDADDR) possible bug X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Polevoy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2005 11:06:25 -0000 Hello, All! I found some possible problem in funcion pf_ioctl.c/pfioctl() in FreeBSD 5.4-RELEASE PF. To add PF rdr (nat) rule in active ruleset we have to do several steps: 1) get pool ticket with ioctl(DIOCBEGINADDRS); 2) create addresses pool with several ioctl(DIOCADDADDR); 3) get ticket for add rule with ioctl(DIOCCHANGERULE); 4) add rule with ioctl(DIOCCHANGERULE). In step 2 ioctl(DIOCADDADDR) do not check pool ticket value, and there is possible situation of malicious or failure address pool addition whithout geting pool ticket from another process. Is it bug or not? With best regards Boris Polevoy