Date: Thu, 27 Feb 2014 15:15:22 +0900 (JST) From: HASHI Hiroaki <hashiz@meridiani.jp> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/187105: [PATCH] net/miniupnpd fix incrrect redirect filter Message-ID: <20140227061522.64F214ABE1B@stenmark.meridiani.jp> Resent-Message-ID: <201402270630.s1R6U29D089787@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 187105
>Category: ports
>Synopsis: [PATCH] net/miniupnpd fix incrrect redirect filter
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 27 06:30:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: HASHI Hiroaki
>Release: FreeBSD 10.0-STABLE amd64
>Organization:
person
>Environment:
System: FreeBSD stenmark.meridiani.jp 10.0-STABLE FreeBSD 10.0-STABLE #1 r262429M: Mon Feb 24 15:31:28 JST 2014 hashiz@stenmark.meridiani.jp:/usr/obj/usr/src/sys/STENMARK amd64
>Description:
net/miniupnpd add incorrect filter rule at AddPortMapping request.
>How-To-Repeat:
Invite remote assistance from windows client on internal network.
show 'pfctl -a miniupnpd -s rules; pfctl -a miniupnpd -s nat'
rdr rule is correct, but filter rule port number is incorrect (external port number).
>Fix:
filter rule's port number must be 'internal' port number.
--- miniupnpd.patch begins here ---
diff -ruN net/miniupnpd.orig/Makefile net/miniupnpd/Makefile
--- net/miniupnpd.orig/Makefile 2014-01-26 23:27:10.000000000 +0900
+++ net/miniupnpd/Makefile 2014-02-27 14:18:05.000000000 +0900
@@ -3,7 +3,7 @@
PORTNAME= miniupnpd
PORTVERSION= 1.8
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= net
MASTER_SITES= http://miniupnp.tuxfamily.org/files/ \
@@ -28,7 +28,8 @@
.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MPF_ENABLE_FILTER_RULES}
-EXTRA_PATCHES= ${PATCHDIR}/pf_enable_filter_rules.patch
+EXTRA_PATCHES= ${PATCHDIR}/pf_enable_filter_rules.patch \
+ ${PATCHDIR}/fixredirect.patch
.endif
post-patch-script:
diff -ruN net/miniupnpd.orig/files/fixredirect.patch net/miniupnpd/files/fixredirect.patch
--- net/miniupnpd.orig/files/fixredirect.patch 1970-01-01 09:00:00.000000000 +0900
+++ net/miniupnpd/files/fixredirect.patch 2014-02-27 14:14:37.000000000 +0900
@@ -0,0 +1,68 @@
+--- pf/obsdrdr.c.orig 2014-02-27 13:38:57.000000000 +0900
++++ pf/obsdrdr.c 2014-02-27 13:41:27.000000000 +0900
+@@ -365,7 +365,7 @@
+ #endif
+
+ pcr.rule.dst.port_op = PF_OP_EQ;
+- pcr.rule.dst.port[0] = htons(eport);
++ pcr.rule.dst.port[0] = htons(iport);
+ pcr.rule.direction = PF_IN;
+ pcr.rule.action = PF_PASS;
+ pcr.rule.af = AF_INET;
+@@ -399,7 +399,7 @@
+ pcr.rule.src.addr.v.a.mask.v4.s_addr = htonl(INADDR_NONE);
+ }
+ #ifndef PF_NEWSTYLE
+- pcr.rule.rpool.proxy_port[0] = eport;
++ pcr.rule.rpool.proxy_port[0] = iport;
+ a = calloc(1, sizeof(struct pf_pooladdr));
+ inet_pton(AF_INET, iaddr, &a->addr.v.a.addr.v4.s_addr);
+ a->addr.v.a.mask.v4.s_addr = htonl(INADDR_NONE);
+@@ -617,10 +617,10 @@
+ }
+
+ int
+-delete_filter_rule(const char * ifname, unsigned short eport, int proto)
++delete_filter_rule(const char * ifname, unsigned short iport, int proto)
+ {
+ #ifndef PF_ENABLE_FILTER_RULES
+- UNUSED(ifname); UNUSED(eport); UNUSED(proto);
++ UNUSED(ifname); UNUSED(iport); UNUSED(proto);
+ return 0;
+ #else
+ int i, n;
+@@ -646,7 +646,7 @@
+ syslog(LOG_ERR, "ioctl(dev, DIOCGETRULE): %m");
+ goto error;
+ }
+- if( (eport == ntohs(pr.rule.dst.port[0]))
++ if( (iport == ntohs(pr.rule.dst.port[0]))
+ && (pr.rule.proto == proto) )
+ {
+ pr.action = PF_CHANGE_GET_TICKET;
+--- upnpredirect.c.orig 2014-02-27 13:42:05.000000000 +0900
++++ upnpredirect.c 2014-02-27 14:00:06.000000000 +0900
+@@ -420,8 +420,22 @@
+ #if defined(__linux__)
+ r = delete_redirect_and_filter_rules(eport, proto);
+ #else
++ char iaddr[INET6_ADDRSTRLEN];
++ unsigned short iport;
++ char desc[64];
++ char rhost[64];
++ unsigned int timestamp;
++ u_int64_t packets;
++ u_int64_t bytes;
++ int r2 = get_redirect_rule(ext_if_name, eport, proto,
++ &iaddr, sizeof(iaddr), &iport,
++ &desc, sizeof(desc),
++ &rhost, sizeof(rhost),
++ ×tamp,
++ &packets, &bytes);
+ r = delete_redirect_rule(ext_if_name, eport, proto);
+- delete_filter_rule(ext_if_name, eport, proto);
++ if (r2==0)
++ delete_filter_rule(ext_if_name, iport, proto);
+ #endif
+ #ifdef ENABLE_LEASEFILE
+ lease_file_remove( eport, proto);
--- miniupnpd.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140227061522.64F214ABE1B>