From mdg@secureworks.net  Mon Oct 20 09:03:23 2003
Return-Path: <mdg@secureworks.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1A75F16A4B3
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 20 Oct 2003 09:03:23 -0700 (PDT)
Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155])
	by mx1.FreeBSD.org (Postfix) with SMTP id 1DDA743FBD
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 20 Oct 2003 09:03:22 -0700 (PDT)
	(envelope-from mdg@secureworks.net)
Received: (qmail 89561 invoked from network); 20 Oct 2003 16:01:02 -0000
Received: from unknown (HELO HOST-192-168-10-225.internal.secureworks.net) (63.239.86.253)
  by mail.secureworks.net with SMTP; 20 Oct 2003 16:01:02 -0000
Message-Id: <20031020120039.O33518@localhost>
Date: Mon, 20 Oct 2003 12:03:00 -0400 (EDT)
From: Matthew George <mdg@secureworks.net>
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipnat map protocol specification broken

>Number:         58287
>Category:       kern
>Synopsis:       ipnat map protocol specification broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 20 09:10:11 PDT 2003
>Closed-Date:    Sat May 15 06:12:28 PDT 2004
>Last-Modified:  Sat May 15 06:12:28 PDT 2004
>Originator:     Matthew George
>Release:        FreeBSD 4.8-RELEASE-p1 i386
>Organization:
SecureWorks
>Environment:
System: FreeBSD fbsd.secureworks.net 4.8-RELEASE-p1 FreeBSD 4.8-RELEASE-p1 #4: Thu Sep 25 12:29:50 EDT 2003 mdg@fbsd.secureworks.net:/usr/src/sys/compile/SW-GENERIC-SMP i386



>Description:
	The docs in ipnat(5) provide the following description of ipnat map
	with regards to protocol specification:

	map ::= mapit ifname ipmask "->" dstipmask [ mapport ] mapoptions.
	mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] .
	tcpudp ::= "tcp/udp" | protocol .
	protocol ::= protocol-name | decnumber .

	However, ipnat refuses to properly parse a rule with a protocol specified.

>How-To-Repeat:
	# ipnat -f -
	map dc0 from 192.168.0.0/16 to any -> w.x.y.z/32 icmp
	1: extra junk at the end of the line: icmp
	1: syntax error in "map"

>Fix:

	I only looked at this very shortly, but the problem appears to be around
	line 458 of natparse.c.  It looks like the protocol is only examined and
	dealt with if !(ipn.in_redir & (NAT_MAP|NAT_MAPBLK)).


-- 
Matthew George
SecureWorks Technical Operations

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: kris 
Responsible-Changed-When: Wed Oct 22 19:30:00 PDT 2003 
Responsible-Changed-Why:  
Assign to ipfilter author 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58287 
State-Changed-From-To: open->closed 
State-Changed-By: darrenr 
State-Changed-When: Sat May 15 06:10:06 PDT 2004 
State-Changed-Why:  
ipnat doesn't support arbitrary protocol matching for "map" rules. 
In this case, it is the docs (ipnat(5)) that is incorrect. 
An update for ipnat(5) will come with the next import of ipfilter. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58287 
>Unformatted:
