From ghelmer@mocha.cs.iastate.edu Mon Mar  1 06:47:40 1999
Return-Path: <ghelmer@mocha.cs.iastate.edu>
Received: from mocha.cs.iastate.edu (mocha.cs.iastate.edu [129.186.3.34])
	by hub.freebsd.org (Postfix) with ESMTP id 90CB61538C
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  1 Mar 1999 06:47:38 -0800 (PST)
	(envelope-from ghelmer@mocha.cs.iastate.edu)
Received: (from ghelmer@localhost)
	by mocha.cs.iastate.edu (8.9.3/8.9.1) id IAA05041;
	Mon, 1 Mar 1999 08:47:18 -0600 (CST)
	(envelope-from ghelmer)
Message-Id: <199903011447.IAA05041@mocha.cs.iastate.edu>
Date: Mon, 1 Mar 1999 08:47:18 -0600 (CST)
From: Guy Helmer <ghelmer@mocha.cs.iastate.edu>
Reply-To: ghelmer@mocha.cs.iastate.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: ip_fw allows divert rules even though not built with IPDIVERT option
X-Send-Pr-Version: 3.2

>Number:         10324
>Category:       kern
>Synopsis:       ip_fw allows divert rules even though not built with IPDIVERT option
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar  1 06:50:00 PST 1999
>Closed-Date:    Fri Jun 11 04:36:56 PDT 1999
>Last-Modified:  Fri Jun 11 04:39:56 PDT 1999
>Originator:     Guy Helmer
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
ISU Dept of Computer Science
>Environment:

	All kernels with IPFIREWALL or ip_fw lkm/kld module

>Description:

	sys/netinet/ip_fw.c will allow divert rules to be defined
	without having been compiled with the IPDIVERT option.  If
	not built with IPDIVERT option, ip_fw should complain about
	divert rules.

>How-To-Repeat:

	Boot with a GENERIC kernel and load the ip_fw module, or boot
	a kernel built with IPFIREWALL option but not with IPDIVERT option.
	Then, install an ipfw divert rule and try to use natd.  "ipfw show"
	will show that packets are matching the divert rule, but "natd -v"
	will not show any packets being diverted and "netstat -a" will
	not show the divert socket.

>Fix:
	
	A fix would be for ip_fw.c to disallow divert rules if not
	built with the IPDIVERT option:

--- ip_fw.c.ORIG	Tue Feb 16 08:03:11 1999
+++ ip_fw.c	Mon Mar  1 08:45:45 1999
@@ -1103,6 +1103,11 @@
 		}
 		break;
 	case IP_FW_F_DIVERT:		/* Diverting to port zero is invalid */
+#ifndef IPDIVERT
+		dprintf(("divert disabled\n"));
+		return (EINVAL);
+		/* #else fall through */
+#endif
 	case IP_FW_F_PIPE:              /* piping through 0 is invalid */
 	case IP_FW_F_TEE:
 		if (frwl->fw_divert_port == 0) {

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Fri Jun 11 04:36:56 PDT 1999 
State-Changed-Why:  
Fixed in -CURRENT (src/sys/netinet/ip_fw.c,v 1.113). 


Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: ru 
Responsible-Changed-When: Fri Jun 11 04:36:56 PDT 1999 
Responsible-Changed-Why:  
So I remember to MFC. 
>Unformatted:
