From mb@tns.cz  Mon Feb  7 08:32:49 2005
Return-Path: <mb@tns.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E3A9916A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  7 Feb 2005 08:32:49 +0000 (GMT)
Received: from debian.net-online.cz (debian.net-online.cz [82.117.134.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C802E43D58
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  7 Feb 2005 08:32:48 +0000 (GMT)
	(envelope-from mb@tns.cz)
Received: from mb.tns.cz (unknown [82.117.134.24])
	by debian.net-online.cz (Postfix) with ESMTP id BA946CDC029
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  7 Feb 2005 09:27:44 +0100 (CET)
Received: by mb.tns.cz (Postfix, from userid 1205)
	id 702CB47; Mon,  7 Feb 2005 09:32:46 +0100 (CET)
Message-Id: <20050207083246.702CB47@mb.tns.cz>
Date: Mon,  7 Feb 2005 09:32:46 +0100 (CET)
From: Martin Beran <mb@tns.cz>
Reply-To: Martin Beran <mb@tns.cz>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] Ipfilter ioctl SIOCGNATL does not match active sessions properly
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         77195
>Category:       kern
>Synopsis:       [ipfilter] [patch] ipfilter ioctl SIOCGNATL does not match active sessions properly
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    cy
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 07 08:40:25 GMT 2005
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:17:13 UTC 2013
>Originator:     Martin Beran <mb@tns.cz>
>Release:        FreeBSD 5.3-RELEASE i386
>Organization:
Trusted Network Solutions, a. s.
>Environment:
System: FreeBSD mb.tns.cz 5.3-RELEASE FreeBSD 5.3-RELEASE #1: Tue Dec 28 17:56:21 CET 2004 root@mb.tns.cz:/usr/obj/usr/src/sys/MB i386

>Description:
Ipfilter provides ioctl SIOCGNATL which can be used to obtain the original
destination IP address of a redirected connection. Matching with the table of
active sessions is not performed properly. The type of protocol is ignored and
port numbers are used as an input to the hash function, but records from the
hash table are not checked whether they have the correct ports. As a result,
ipfilter sometimes reports the original destination of a redirected connection
incorrectly.
I have tested this problem on 5.3-RELEASE, but according to the source code
(/usr/src/sys/contrib/ipfilter/netinet/ip_nat.c, function nat_lookupredir), it
is present also in 4.11-RELEASE and in CURRENT.
>How-To-Repeat:
Create a redirection rule, e.g.,
rdr lo0 127.0.0.1/32 port 53 -> 127.0.0.1 port 53538 udp
Create many (several hundred) active sessions by sending UDP datagrams from
localhost, various source ports, to localhost, port 53. Then start opening TCP
connections from localhost, various source ports, to localhost, some
arbitrarily chosen port (other than 53). For each connection, try to find the
original destination by SIOCGNATL ioctl. From time to time, the ioctl responds
that the destination is port 53.
>Fix:
--- /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c	2005/02/04 16:07:35
+++ /usr/src/sys/contrib/ipfilter/netinet/ip_nat.c	2005/02/06 13:54:31
@@ -2239,7 +2239,20 @@
 {
 	nat_t *nat;
 	fr_info_t fi;
+	int proto;
 
+	switch(np->nl_flags & IPN_TCPUDP) {
+	case IPN_TCP:
+		proto = IPPROTO_TCP;
+		break;
+	case IPN_UDP:
+		proto = IPPROTO_UDP;
+		break;
+	default:
+		proto = 0;
+		break;
+	}
+	
 	bzero((char *)&fi, sizeof(fi));
 	fi.fin_data[0] = ntohs(np->nl_inport);
 	fi.fin_data[1] = ntohs(np->nl_outport);
@@ -2248,7 +2261,7 @@
 	 * If nl_inip is non null, this is a lookup based on the real
 	 * ip address. Else, we use the fake.
 	 */
-	if ((nat = nat_outlookup(&fi, np->nl_flags, 0, np->nl_inip,
+	if ((nat = nat_outlookup(&fi, np->nl_flags, proto, np->nl_inip,
 				 np->nl_outip, 0))) {
 		np->nl_realip = nat->nat_outip;
 		np->nl_realport = nat->nat_outport;
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: arved 
Responsible-Changed-When: Sat Jun 4 20:48:53 GMT 2005 
Responsible-Changed-Why:  
Over to ipfilter maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77195 
State-Changed-From-To: open->suspended 
State-Changed-By: darrenr 
State-Changed-When: Mon Feb 27 09:34:41 UTC 2006 
State-Changed-Why:  
this patch is fixed in 6.* and -current. 
At some point IPFilter on RELENG_5_4 should be updated to 
the last 3.4 version. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77195 
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:16:59 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77195 
>Unformatted:
