From nobody@FreeBSD.org  Sun May 11 11:14:37 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 62B7ACE0
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 May 2014 11:14:37 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 304672A30
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 May 2014 11:14:37 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s4BBEbUA093937
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 May 2014 11:14:37 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s4BBEbnk093936;
	Sun, 11 May 2014 11:14:37 GMT
	(envelope-from nobody)
Message-Id: <201405111114.s4BBEbnk093936@cgiserv.freebsd.org>
Date: Sun, 11 May 2014 11:14:37 GMT
From: Andriy Mayevskyy <major12@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [ipfw] ipfw does not pass same_ports option to kernel nat (libalias)
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         189655
>Category:       kern
>Synopsis:       [ipfw] ipfw does not pass same_ports option to kernel nat (libalias)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ae
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 11 11:20:00 UTC 2014
>Closed-Date:    Mon May 26 09:17:04 UTC 2014
>Last-Modified:  Mon May 26 09:17:04 UTC 2014
>Originator:     Andriy Mayevskyy
>Release:        9.2-RELEASE
>Organization:
>Environment:
FreeBSD natbox 9.2-RELEASE FreeBSD 9.2-RELEASE #0: Mon Apr 21 17:32:51 EEST 2014 root@natbox:/usr/obj/usr/src/sys/TEST i386
>Description:
ipfw command is used to configure kernel nat.
ipfw option 'same_ports' seems to be ignored while configuration and kernel nat (libalias) always behaves like this option was enabled.

E.g.
If we send packet from 10.0.0.5 port 200
with same_ports packed should be aliased (if possible) to <alias_addr>:200
and w/o same_ports to <alias_addr>:<random_port>

Currently packets are aliased to port 200 in both cases
ipfw nat 1 config if em1 same_ports
and
ipfw nat 1 config if em1
>How-To-Repeat:
Test kernel is:
-------------
ident TEST
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options LIBALIAS
options IPFIREWALL_NAT
include GENERIC
-------------
ipfw is configured in next way:

ipfw nat 1 config if em1
ipfw add 100 nat 1 ip from any to any via em1

Network layout is
client --(em0) natbox (em1)-- internet

At client I use python script to bind to port 200 and send packets to internet.
At natbox I can check packets with tcpdump -n -i em1
>Fix:
I suppose that there is a bug in
sys/netpfil/ipfw/ip_fw_nat.c

LibAliasSetMode has next prototype

/* Change mode for some operations */
unsigned int
LibAliasSetMode(
    struct libalias *la,
    unsigned int flags,		/* Which state to bring flags to */
    unsigned int mask		/* Mask of which flags to affect (use 0 to
				 * do a probe for flag values) */
)

and it is called in wrong way
LibAliasSetMode(ptr->lib, cfg->mode, cfg->mode);

This code will set only the bits that are 1 (ones). But we need to clear bit that is responsible for SAME_PORTS so this bit value should be 0 in mode and 1 in mask.

So since same_ports are enable by default in libalias and ipfw fails to change it we have described incorrect behavior.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue May 13 04:54:36 UTC 2014 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=189655 
Responsible-Changed-From-To: freebsd-ipfw->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Fri May 16 11:49:10 UTC 2014 
Responsible-Changed-Why:  
Take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=189655 

From: "Andrey V. Elsukov" <ae@FreeBSD.org>
To: bug-followup@FreeBSD.org, major12@gmail.com
Cc:  
Subject: Re: kern/189655: [ipfw] ipfw does not pass same_ports option to kernel
 nat (libalias)
Date: Fri, 16 May 2014 18:11:52 +0400

 This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
 --7LHBuKohGpgGaPdHPMT22eqoDxCkoOJJh
 Content-Type: multipart/mixed;
  boundary="------------070302040103010109070904"
 
 This is a multi-part message in MIME format.
 --------------070302040103010109070904
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Hello, Andriy.
 
 Your analysis is correct. Can you test this patch?
 It looks like this behavior was copied from the ng_nat without any
 change. ng_nat and natd call LibAliasSetMode for each option and it is
 ok for them, but ipfw nat does its configuration in one step, so I think
 it is safe to pass ~0 as mask.
 
 --=20
 WBR, Andrey V. Elsukov
 
 --------------070302040103010109070904
 Content-Type: text/x-patch;
  name="ipfw_nat.diff"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment;
  filename="ipfw_nat.diff"
 
 Index: head/sys/netpfil/ipfw/ip_fw_nat.c
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- head/sys/netpfil/ipfw/ip_fw_nat.c	(revision 266005)
 +++ head/sys/netpfil/ipfw/ip_fw_nat.c	(working copy)
 @@ -443,7 +443,7 @@ ipfw_nat_cfg(struct sockopt *sopt)
  	ptr->ip =3D cfg->ip;
  	ptr->redir_cnt =3D cfg->redir_cnt;
  	ptr->mode =3D cfg->mode;
 -	LibAliasSetMode(ptr->lib, cfg->mode, cfg->mode);
 +	LibAliasSetMode(ptr->lib, cfg->mode, ~0);
  	LibAliasSetAddress(ptr->lib, ptr->ip);
  	memcpy(ptr->if_name, cfg->if_name, IF_NAMESIZE);
 =20
 
 --------------070302040103010109070904--
 
 --7LHBuKohGpgGaPdHPMT22eqoDxCkoOJJh
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename="signature.asc"
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (FreeBSD)
 
 iQEcBAEBAgAGBQJTdhytAAoJEAHF6gQQyKF65cgH/0uytF5tu/L1IiR7ZB+KF8rM
 EFLKWuzDSdWyv/47wyJWwRLyKY74InzseC+H6R5vJ/JaB80cMbW0ddr65fBwTYJf
 eEzrEkNXFo/UHWpwUrOv9sBmEA9zzyRR3Cn9bQxJJu8h7XVj9z0CQqFh+liH+gI8
 VLRHj+fDH1q4hDmOVTlvSr3CEAfvu0C51hX49GyYmZ4G+i3L6E1pV9t/Z4dVgOYO
 ukNTasxKo7rVknnKbq1o+N3F3m4aDO/Gt0YQOdeEanmvxXQeWdYFj2xR5C+NfDQG
 8PwSPIOIBWGB52xm2usMySjPm0qMHzvFJXRRurZ3CXFbw7XT+2YV3Nb0k376hbQ=
 =4Gt1
 -----END PGP SIGNATURE-----
 
 --7LHBuKohGpgGaPdHPMT22eqoDxCkoOJJh--

From: Andriy Mayevskyy <major12@gmail.com>
To: "Andrey V. Elsukov" <ae@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: kern/189655: [ipfw] ipfw does not pass same_ports option to
 kernel nat (libalias)
Date: Sun, 18 May 2014 14:43:47 +0300

 With your patch the option works correctly. Good job.
 
 On Fri, May 16, 2014 at 5:11 PM, Andrey V. Elsukov <ae@freebsd.org> wrote:
 > Hello, Andriy.
 >
 > Your analysis is correct. Can you test this patch?
 > It looks like this behavior was copied from the ng_nat without any
 > change. ng_nat and natd call LibAliasSetMode for each option and it is
 > ok for them, but ipfw nat does its configuration in one step, so I think
 > it is safe to pass ~0 as mask.
 >
 > --
 > WBR, Andrey V. Elsukov

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/189655: commit references a PR
Date: Sun, 18 May 2014 14:25:23 +0000 (UTC)

 Author: ae
 Date: Sun May 18 14:25:19 2014
 New Revision: 266399
 URL: http://svnweb.freebsd.org/changeset/base/266399
 
 Log:
   Since ipfw nat configures all options in one step, we should set all bits
   in the mask when calling LibAliasSetMode() to properly clear unneeded
   options.
   
   PR:		189655
   MFC after:	1 week
   Sponsored by:	Yandex LLC
 
 Modified:
   head/sys/netpfil/ipfw/ip_fw_nat.c
 
 Modified: head/sys/netpfil/ipfw/ip_fw_nat.c
 ==============================================================================
 --- head/sys/netpfil/ipfw/ip_fw_nat.c	Sun May 18 14:18:23 2014	(r266398)
 +++ head/sys/netpfil/ipfw/ip_fw_nat.c	Sun May 18 14:25:19 2014	(r266399)
 @@ -443,7 +443,7 @@ ipfw_nat_cfg(struct sockopt *sopt)
  	ptr->ip = cfg->ip;
  	ptr->redir_cnt = cfg->redir_cnt;
  	ptr->mode = cfg->mode;
 -	LibAliasSetMode(ptr->lib, cfg->mode, cfg->mode);
 +	LibAliasSetMode(ptr->lib, cfg->mode, ~0);
  	LibAliasSetAddress(ptr->lib, ptr->ip);
  	memcpy(ptr->if_name, cfg->if_name, IF_NAMESIZE);
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: ae 
State-Changed-When: Sun May 18 14:39:36 UTC 2014 
State-Changed-Why:  
Patched in head/. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=189655 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/189655: commit references a PR
Date: Mon, 26 May 2014 07:02:06 +0000 (UTC)

 Author: ae
 Date: Mon May 26 07:02:03 2014
 New Revision: 266678
 URL: http://svnweb.freebsd.org/changeset/base/266678
 
 Log:
   MFC r266399:
     Since ipfw nat configures all options in one step, we should set all bits
     in the mask when calling LibAliasSetMode() to properly clear unneeded
     options.
   
     PR:		189655
 
 Modified:
   stable/10/sys/netpfil/ipfw/ip_fw_nat.c
 Directory Properties:
   stable/10/   (props changed)
 
 Modified: stable/10/sys/netpfil/ipfw/ip_fw_nat.c
 ==============================================================================
 --- stable/10/sys/netpfil/ipfw/ip_fw_nat.c	Mon May 26 02:19:50 2014	(r266677)
 +++ stable/10/sys/netpfil/ipfw/ip_fw_nat.c	Mon May 26 07:02:03 2014	(r266678)
 @@ -441,7 +441,7 @@ ipfw_nat_cfg(struct sockopt *sopt)
  	ptr->ip = cfg->ip;
  	ptr->redir_cnt = cfg->redir_cnt;
  	ptr->mode = cfg->mode;
 -	LibAliasSetMode(ptr->lib, cfg->mode, cfg->mode);
 +	LibAliasSetMode(ptr->lib, cfg->mode, ~0);
  	LibAliasSetAddress(ptr->lib, ptr->ip);
  	memcpy(ptr->if_name, cfg->if_name, IF_NAMESIZE);
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/189655: commit references a PR
Date: Mon, 26 May 2014 08:22:38 +0000 (UTC)

 Author: ae
 Date: Mon May 26 08:22:34 2014
 New Revision: 266680
 URL: http://svnweb.freebsd.org/changeset/base/266680
 
 Log:
   MFC r266399:
     Since ipfw nat configures all options in one step, we should set all bits
     in the mask when calling LibAliasSetMode() to properly clear unneeded
     options.
   
     PR:		189655
   Approved by:	re (marius)
 
 Modified:
   stable/9/sys/netpfil/ipfw/ip_fw_nat.c
 Directory Properties:
   stable/9/sys/   (props changed)
   stable/9/sys/netpfil/   (props changed)
 
 Modified: stable/9/sys/netpfil/ipfw/ip_fw_nat.c
 ==============================================================================
 --- stable/9/sys/netpfil/ipfw/ip_fw_nat.c	Mon May 26 07:04:30 2014	(r266679)
 +++ stable/9/sys/netpfil/ipfw/ip_fw_nat.c	Mon May 26 08:22:34 2014	(r266680)
 @@ -442,7 +442,7 @@ ipfw_nat_cfg(struct sockopt *sopt)
  	ptr->ip = cfg->ip;
  	ptr->redir_cnt = cfg->redir_cnt;
  	ptr->mode = cfg->mode;
 -	LibAliasSetMode(ptr->lib, cfg->mode, cfg->mode);
 +	LibAliasSetMode(ptr->lib, cfg->mode, ~0);
  	LibAliasSetAddress(ptr->lib, ptr->ip);
  	memcpy(ptr->if_name, cfg->if_name, IF_NAMESIZE);
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: ae 
State-Changed-When: Mon May 26 09:16:46 UTC 2014 
State-Changed-Why:  
Merged to stable/9 and stable/10. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=189655 
>Unformatted:
