Date: Wed, 10 Oct 2001 02:40:01 -0700 (PDT) From: "Crist J. Clark" <cristjc@earthlink.net> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/31130: ipfw tee functionality causes malfunction and security hole Message-ID: <200110100940.f9A9e1e91417@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/31130; it has been noted by GNATS. From: "Crist J. Clark" <cristjc@earthlink.net> To: Tim Burgess <tburgess@whitley.unimelb.edu.au> Cc: freebsd-gnats-submit@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: kern/31130: ipfw tee functionality causes malfunction and security hole Date: Wed, 10 Oct 2001 02:35:47 -0700 On Tue, Oct 09, 2001 at 02:20:02AM -0700, Crist J. Clark wrote: [snip] > On the wire and the packets never get routed to the "real" 172.16.0.1. > Trying to figure out if, > > a) This is the expected behavior, but is poorly documented, or > b) Something is broken. > > I'm thinking (b), but still wading through src/sys/netinet to verify. Well, I see why this happens, but still not sure if it is supposed to happen. If we look at src/sys/netinet/ip_input.c, we see that all diverted or teed packets are accepted by the host as destined for itself, #ifdef IPDIVERT if (i != 0 && (i & IP_FW_PORT_DYNT_FLAG) == 0) { /* Divert or tee packet */ divert_info = i; goto ours; } #endif The packets are clearly going to be processed by the gateway. You seem to have already found this in the code snipped in your original PR, but I didn't notice your change. Please post changes to code as unified diffs. I now understand the 'fix' you were talking about. Have you actually built a kernel with your modifications? Does it seem to work? But packets _leaving_ the system seem to be processed as one would expect. That is, a copy is divert(4)ed and then the packet heads out onto to the wire. This apparent inconsistency is a bug since it is either unintended behavior or at least undocumented behavior. But the inconsistency gives you a temporary workaround. Instead of, 600 tee 8665 ip from any to any in Does, 600 tee 8665 ip from any to any out Work as you would expect? -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110100940.f9A9e1e91417>