From nobody@FreeBSD.org  Wed Aug 22 05:37:16 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id E579A37B410
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 22 Aug 2001 05:37:16 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f7MCbGJ57983;
	Wed, 22 Aug 2001 05:37:16 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200108221237.f7MCbGJ57983@freefall.freebsd.org>
Date: Wed, 22 Aug 2001 05:37:16 -0700 (PDT)
From: Michael Nottebrock <nottebrock@crosswinds.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Tircproxy breaks in transparent proxy mode under 4.3R & higher (IP Filter 3.4.x).
X-Send-Pr-Version: www-1.0

>Number:         29954
>Category:       ports
>Synopsis:       Tircproxy breaks in transparent proxy mode under 4.3R & higher (IP Filter 3.4.x).
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 22 05:40:00 PDT 2001
>Closed-Date:    Sat Nov 24 11:49:21 PST 2001
>Last-Modified:  Sat Nov 24 11:49:29 PST 2001
>Originator:     Michael Nottebrock
>Release:        4.3-STABLE
>Organization:
>Environment:
FreeBSD lofi.dyndns.org 4.3-STABLE FreeBSD 4.3-STABLE #8: Wed Jul 11 15:50:34 CEST 2001     root@lofi.dyndns.org:/usr/obj/usr/src/sys/MY
KERNEL  i386
>Description:
Tircproxy, when used in transparent proxy mode, looks up the original destination of the redirected packets in /dev/ipnat. This lookup fails in FreeBSD 4.3R and later because IP Filter 3.4.x expects a different argument to the natlookup ioctrl call than IP Filter 3.3.x. If a connection is made, tircproxy prints out "ioctrl: Bad address" and refuses the connection.
>How-To-Repeat:
Set up a redirection rule in /etc/ipnat.rules like

'rdr dc0 0.0.0.0/0 port 6667 -> 127.0.0.1 port 7776'

and run '/usr/local/sbin/tircproxy -s 7666 -MRH -i <internal-ip>' Then try to connect to an IRC Server from a machine connecting to the proxy via the dc0 interface.
>Fix:
With this patch, the port checks the version of FreeBSD at build time and makes the appropriate calls if the machine is running 4.3R or higher.

begin 644 /usr/ports/irc/tircproxy/files/patch-ad
M*BHJ('1I<F-P<F]X>2YC+F]R:6<)5&AU($UA>2`@-"`R,CHU,SHS,"`R,#`P
M"BTM+2!T:7)C<')O>'DN8PE7960@075G(#(R(#$S.C0R.C0V(#(P,#$**BHJ
M*BHJ*BHJ*BHJ*BHJ"BHJ*B`Q,#8U+#$P-S0@*BHJ*@H@('L*("`)<W1R=6-T
M('-O8VMA9&1R7VEN"0D)=&]?861D<CL*("`):6YT"0D)"0ET;U]L96X["B`@
M(VEF($E01@HA(`ES=')U8W0@<V]C:V%D9')?:6X)"0ES;V-K971I;BP@<VQO
M8SL*(2`);F%T;&]O:W5P7W0@("`@(`D)"6YA=&QO;VL["B$@"6EN=`D)"0D)
M9F0["B`@(V5N9&EF"B`@("`@"B`@("`@"2\J($=I=F4@=&AI<R!T:&EN9R`Q
M,"!M:6YU=&5S('1O(&=E="!S=&%R=&5D("AP87)A;F]I82DN"BTM+2`Q,#8U
M+#$P.#0@+2TM+0H@('L*("`)<W1R=6-T('-O8VMA9&1R7VEN"0D)=&]?861D
M<CL*("`):6YT"0D)"0ET;U]L96X["BL@"B`@(VEF($E01@HA("`@("`@("`@
M<W1R=6-T('-O8VMA9&1R7VEN("`@("`@("`@("`@("`@("`@("`@('-O8VME
M=&EN+"!S;&]C.PHA("`@("`@("`@;F%T;&]O:W5P7W0@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@(&YA=&QO;VL["B$@(`HA("-I9B!?7T9R965"4T1?
M7R`^/2`R"B$@(VEN8VQU9&4@/&]S<F5L9&%T92YH/@HA("`C:68@7U]&<F5E
M0E-$7W9E<G-I;VX@/CT@-#,P,#`P"B$@"B$@("`@("`@("!N871L;V]K=7!?
M="`@("`@("`@("`@("`@("`@("`@("`@("`@("`@*FYA=&QO;VMP(#T@)FYA
M=&QO;VL["B$@"B$@("-E;F1I9@HA("-E;F1I9@HA("`@("`@("`@:6YT("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@(&9D.PH@("-E;F1I
M9@H@("`@(`H@("`@(`DO*B!':79E('1H:7,@=&AI;F<@,3`@;6EN=71E<R!T
M;R!G970@<W1A<G1E9"`H<&%R86YO:6$I+@HJ*BHJ*BHJ*BHJ*BHJ*BH**BHJ
M(#$Q-3(L,3$U."`J*BHJ"B`@("`@("`@("`@("`@("`@(&YA=&QO;VLN;FQ?
M:6YP;W)T(#T@<VQO8RYS:6Y?<&]R=#L*("`*("`@("`@("`@("`@("`@("`@
M9F0@/2!O<&5N*$E03%].050L($]?4D1/3DQ9*3L*(2`@("`@("`@("`@("`@
M("`@:68@*&EO8W1L*&9D+"!324]#1TY!5$PL("9N871L;V]K*2`]/2`M,2D*
M("`)("`@("`)>PH@("`@("`@("`@("`@("`@("`)<&5R<F]R*")I;V-T;"(I
M.PH@("`@("`@("`@("`@("`@("`)97AI="@M,2D["BTM+2`Q,38R+#$Q-S4@
M+2TM+0H@("`@("`@("`@("`@("`@("!N871L;V]K+FYL7VEN<&]R="`]('-L
M;V,N<VEN7W!O<G0["B`@"B`@("`@("`@("`@("`@("`@(&9D(#T@;W!E;BA)
M4$Q?3D%4+"!/7U)$3TY,62D["B$@(VEF(%]?1G)E94)31%]?(#X](#(*(2`C
M:6YC;'5D92`\;W-R96QD871E+F@^"B$@("-I9B!?7T9R965"4T1?=F5R<VEO
M;B`^/2`T,S`P,#`*(2`@("`@("`@("`@("`@("`@(&EF("AI;V-T;"AF9"P@
M4TE/0T=.051,+"`F;F%T;&]O:W`I(#T]("TQ*0HA("`C96QS90HA("`@("`@
M("`@("`@("`@("`@:68@*&EO8W1L*&9D+"!324]#1TY!5$PL("9N871L;V]K
M*2`]/2`M,2D*(2`@(V5N9&EF"B$@(V5N9&EF("`@("`@("`@("`@("`@"B`@
M"2`@("`@"7L*("`@("`@("`@("`@("`@("`@"7!E<G)O<B@B:6]C=&PB*3L*
=("`@("`@("`@("`@("`@("`@"65X:70H+3$I.PIE
`
end
>Release-Note:
>Audit-Trail:

From: Peter Pentchev <roam@ringlet.net>
To: Michael Nottebrock <nottebrock@crosswinds.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/29954: Tircproxy breaks in transparent proxy mode under 4.3R & higher (IP Filter 3.4.x).
Date: Wed, 22 Aug 2001 15:47:03 +0300

 On Wed, Aug 22, 2001 at 05:37:16AM -0700, Michael Nottebrock wrote:
 > 
 > >Number:         29954
 > >Category:       ports
 > >Synopsis:       Tircproxy breaks in transparent proxy mode under 4.3R & higher (IP Filter 3.4.x).
 > >Originator:     Michael Nottebrock
 > >Release:        4.3-STABLE
 > >Organization:
 > >Environment:
 > FreeBSD lofi.dyndns.org 4.3-STABLE FreeBSD 4.3-STABLE #8: Wed Jul 11 15:50:34 CEST 2001     root@lofi.dyndns.org:/usr/obj/usr/src/sys/MY
 > KERNEL  i386
 > >Description:
 > Tircproxy, when used in transparent proxy mode, looks up the original destination of the redirected packets in /dev/ipnat. This lookup fails in FreeBSD 4.3R and later because IP Filter 3.4.x expects a different argument to the natlookup ioctrl call than IP Filter 3.3.x. If a connection is made, tircproxy prints out "ioctrl: Bad address" and refuses the connection.
 > >How-To-Repeat:
 > Set up a redirection rule in /etc/ipnat.rules like
 > 
 > 'rdr dc0 0.0.0.0/0 port 6667 -> 127.0.0.1 port 7776'
 > 
 > and run '/usr/local/sbin/tircproxy -s 7666 -MRH -i <internal-ip>' Then try to connect to an IRC Server from a machine connecting to the proxy via the dc0 interface.
 > >Fix:
 > With this patch, the port checks the version of FreeBSD at build time and makes the appropriate calls if the machine is running 4.3R or higher.
 
 Great analysis there!
 
 However, a compile-time check would break if the port is built on
 an IPF 3.3.x system, which is later updated to IPF 3.4.x.
 Granted, this would be a case of improper system administration,
 but I wonder if a runtime check would not fix it better - check
 the result of the kern.osreldate sysctl instead of __FreeBSD_version?
 
 G'luck,
 Peter
 
 -- 
 If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false.

From: "Michael Nottebrock" <nottebrock@crosswinds.net>
To: "Peter Pentchev" <roam@ringlet.net>
Cc: <freebsd-gnats-submit@FreeBSD.org>
Subject: Re: ports/29954: Tircproxy breaks in transparent proxy mode under 4.3R & higher (IP Filter 3.4.x).
Date: Wed, 22 Aug 2001 23:04:06 +0200

 From: "Peter Pentchev" <roam@ringlet.net>, Wednesday, August 22, 2001 2:47 PM:
 
 > [...]
 > Granted, this would be a case of improper system administration,
 > but I wonder if a runtime check would not fix it better - check
 > the result of the kern.osreldate sysctl instead of __FreeBSD_version?
 > [...]
 
 Hm. Didn't think of that. Here's a new Patch which does it all at runtime :).
 
 begin 644 /usr/ports/irc/tircproxy/files/patch-ad
 M*BHJ('1I<F-P<F]X>2YC+F]R:6<)5V5D($%U9R`R,B`R,CHT-3HU-2`R,#`Q
 M"BTM+2!T:7)C<')O>'DN8PE7960@075G(#(R(#(R.C4Q.C`T(#(P,#$**BHJ
 M*BHJ*BHJ*BHJ*BHJ"BHJ*B`T-RPU."`J*BHJ"BTM+2`T-RPV,"`M+2TM"B`@
 M(VEN8VQU9&4@/&%R<&$O:6YE="YH/@H@("-I;F-L=61E(#QN971D8BYH/@H@
 M("-I;F-L=61E(#QS>7,O='EP97,N:#X**R`C:6YC;'5D92`\<WES+W-Y<V-T
 M;"YH/@H@("-I;F-L=61E(#QS>7-L;V<N:#X*("`C:6YC;'5D92`\<VEG;F%L
 M+F@^"B`@(VEN8VQU9&4@/'!W9"YH/@H@("-I;F-L=61E(#QS=&1I;RYH/@H@
 M("-I;F-L=61E(#QS=&1L:6(N:#X*("`C:6YC;'5D92`\<W1D87)G+F@^"BL@
 M(VEN8VQU9&4@/'-T9&1E9BYH/@H@("-I;F-L=61E(#QS=')I;F<N:#X*("`C
 M:6YC;'5D92`\8W1Y<&4N:#X*("`C:6YC;'5D92`\9F-N=&PN:#X**BHJ*BHJ
 M*BHJ*BHJ*BHJ"BHJ*B`Q,#8X+#$P-S,@*BHJ*@HM+2T@,3`W,"PQ,#<V("TM
 M+2T*("`C:68@25!&"B`@"7-T<G5C="!S;V-K861D<E]I;@D)"7-O8VME=&EN
 M+"!S;&]C.PH@(`EN871L;V]K=7!?="`@("`@"0D);F%T;&]O:SL**R`@("`@
 M("`@(&YA=&QO;VMU<%]T("`@("`@("`@("`@("`@("`@("`@("`@("`@("`J
 M;F%T;&]O:W`@/2`F;F%T;&]O:SL*("`):6YT"0D)"0EF9#L*("`C96YD:68*
 M("`@("`**BHJ*BHJ*BHJ*BHJ*BHJ"BHJ*B`Q,3(X+#$Q,S,@*BHJ*@HM+2T@
 M,3$S,2PQ,3,Y("TM+2T*("`)"7T*("`C96QS90H@(",@:68@25!&"BL@("`@
 M("`@("`@("`@("`@(&EN="!M:6);,ETL(&]S<F5L9&%T93L**R`@("`@("`@
 M("`@("`@("`@<VEZ95]T(')E;&1A=&5?;&5N.PHK("`@("`@("`@("`@("`@
 M("`*("`)("`@"2\J(%1H:7,@:7,@=&AE(&EP9B!M971H;V0@"B`@"0DJ+PH@
 M("`@("`@("`@("`@("`@("!T;U]L96X@/2!S:7IE;V8H<V]C:V5T:6XI.PHJ
 M*BHJ*BHJ*BHJ*BHJ*BH**BHJ(#$Q-3$L,3$V-"`J*BHJ"B`@("`@("`@("`@
 M("`@("`@(&YA=&QO;VLN;FQ?;W5T<&]R="`]('-O8VME=&EN+G-I;E]P;W)T
 M.PH@("`@("`@("`@("`@("`@("!N871L;V]K+FYL7VEN<&]R="`]('-L;V,N
 M<VEN7W!O<G0["B`@"B$@("`@("`@("`@("`@("`@(&9D(#T@;W!E;BA)4$Q?
 M3D%4+"!/7U)$3TY,62D["B$@("`@("`@("`@("`@("`@(&EF("AI;V-T;"AF
 M9"P@4TE/0T=.051,+"`F;F%T;&]O:RD@/3T@+3$I"B$@"2`@("`@"7L*(2`@
 M("`@("`@("`@("`@("`@"7!E<G)O<B@B:6]C=&PB*3L*(2`@("`@("`@("`@
 M("`@("`@"65X:70H+3$I.PH@("`@("`@("`@("`@("`@("!]"BT@("`@("`@
 M("`@("`@("`@(&-L;W-E*&9D*3L*+2`@"B`@"2`@(`DO*B!;(%1H92!F;VQL
 M;W=I;F<@:7,@5T5)4D0N("!7:'D@=&AE(&AT;VYS*&YT;VAS*"DI(#\_"B`@
 M"0DJ*B`@($%N9"!W:'D@=&AE(&=E=&EP+BXH:6YE=%]N=&]A*"DI(#\_/R!=
 M"B`@"0DJ+PHM+2T@,3$U-RPQ,3DP("TM+2T*("`@("`@("`@("`@("`@("`@
 M;F%T;&]O:RYN;%]O=71P;W)T(#T@<V]C:V5T:6XN<VEN7W!O<G0["B`@("`@
 M("`@("`@("`@("`@(&YA=&QO;VLN;FQ?:6YP;W)T(#T@<VQO8RYS:6Y?<&]R
 M=#L*("`*(2`@("`@("`@("`@("`@("`@+RH@0VAE8VL@=VAI8V@@1G)E94)3
 M1"!V97)S:6]N('=E)W)E(')U;FYI;F<@;VXN($E&(#P@-"XS+5)%3$5!4T4L
 M('=E(&YE960@=&\@("HO"B$@("`@("`@("`@("`@("`@("\J('5S92!T:&4@
 M;VQD($E0($9I;'1E<B`S+C,@:6]C='(@8V%L;"X@("`@("`@("`@("`@("`@
 M("`@("`@("`@("`@("`@("`@("`@("`@*B\*(2`*(2`@("`@("`@("`@("`@
 M("`@;6EB6S!=(#T@0U1,7TM%4DX["B$@("`@("`@("`@("`@("`@(&UI8ELQ
 M72`]($M%4DY?3U-214Q$051%.PHA("`@("`@("`@("`@("`@("!R96QD871E
 M7VQE;B`]('-I>F5O9BAO<W)E;&1A=&4I.PHA("`@("`@("`@("`@("`@("!S
 M>7-C=&PH;6EB+"`R+"`F;W-R96QD871E+"`F<F5L9&%T95]L96XL($Y53$PL
 M(#`I.PHA("`@("`@("`@("`@("`@("`*(2`@("`@("`@("`@("`@("`@:68@
 M*&]S<F5L9&%T92`\(#0S,#`P,"D*(2`@("`@("`@("`@("`@("`@>PHA("`@
 M("`@("`@("`@("`@("`@("`@("`@(&9D(#T@;W!E;BA)4$Q?3D%4+"!/7U)$
 M3TY,62D["B$@("`@("`@("`@("`@("`@("`@("`@("`@:68@*&EO8W1L*&9D
 M+"!324]#1TY!5$PL("9N871L;V]K*2`]/2`M,2D*(2`)("`@("`)("`@("`@
 M("!["B$@("`@("`@("`@("`@("`@(`D@("`@("`@('!E<G)O<B@B:6]C=&PB
 M*3L*(2`@("`@("`@("`@("`@("`@"2`@("`@("`@97AI="@M,2D["B$@("`@
 M("`@("`@("`@("`@("`@("`@("`@?0HA("`@("`@("`@("`@("`@("`@("`@
 M("`@(&-L;W-E*&9D*3L*(2`@("`@("`@("`@("`@("`@?0HA("`@("`@("`@
 M("`@("`@("!E;'-E"B$@("`@("`@("`@("`@("`@('L*(2`@("`@("`@("`@
 M("`@("`@("`@("`@("!F9"`](&]P96XH25!,7TY!5"P@3U]21$].3%DI.PHA
 M("`@("`@("`@("`@("`@("`@("`@("`@(&EF("AI;V-T;"AF9"P@4TE/0T=.
 M051,+"`F;F%T;&]O:W`I(#T]("TQ*0HA("`@("`@("`@("`@("`@("`@("`@
 M("`@('L*(2`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@('!E<G)O
 M<B@B:6]C=&PB*3L*(2`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
 M(&5X:70H+3$I.PHA("`@("`@("`@("`@("`@("`@("`@("`@('T*(2`@("`@
 M("`@("`@("`@("`@("`@("`@("!C;&]S92AF9"D["B`@("`@("`@("`@("`@
 M("`@('T*("`)("`@"2\J(%L@5&AE(&9O;&QO=VEN9R!I<R!714E21"X@(%=H
 M>2!T:&4@:'1O;G,H;G1O:',H*2D@/S\*("`)"2HJ("`@06YD('=H>2!T:&4@
 B9V5T:7`N+BAI;F5T7VYT;V$H*2D@/S\_(%T*("`)"2HO"FYD
 `
 end
 
 

From: Pete Fritchman <petef@databits.net>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: CoreDumped@CoreDumped.null.ru
Subject: Re: ports/29954: Tircproxy breaks in transparent proxy mode under 4.3R & higher (IP Filter 3.4.x).
Date: Sat, 3 Nov 2001 06:12:05 -0500

 What does the maintainer think about this?
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=29954
 
 --
 Pete Fritchman [petef@(databits.net|freebsd.org|csh.rit.edu)]
 finger petef@databits.net for PGP key
State-Changed-From-To: open->closed 
State-Changed-By: dwcjr 
State-Changed-When: Sat Nov 24 11:49:21 PST 2001 
State-Changed-Why:  
Committed, thanks! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29954 
>Unformatted:
