Patch for IP Filter 4.1.3 keep state problem

Tue, 26 Oct 2004 20:00:28 -0700 

IP Filter bug report form.
--------------------------
IP Filter Version: 4.1.3
Operating System Version: Solaris 9 x86
Configuration: LKM

Description of problem:

Telneting into the box works with:

  ipf.conf:

    pass in quick proto tcp from any to any port = telnet
    pass out quick proto tcp from any port = telnet to any

  ipnat.conf:

    map ip.tun0 feith-bb/32 -> feith-bb/32
    map ip.tun0 feith-bb-vpn/32 -> feith-bb-vpn/32

and fails with:

  ipf.conf:

    pass in quick proto tcp from any to any port = telnet keep state

  ipnat.conf:

    map ip.tun0 feith-bb/32 -> feith-bb/32
    map ip.tun0 feith-bb-vpn/32 -> feith-bb-vpn/32

Applying print statements showed that fr_tcpinwindow was failing
due to fdata->td_maxend (is->is_maxsend) being reset by fr_addstate
which was being called twice for the same connection because
fr_matchsrcdst was failing the IP options check since in once case
flx had IP_NATED set (note in both cases the src and dst matched).

How to repeat:

Use:

  ipf.conf:

    pass in quick proto tcp from any to any port = telnet keep state

  ipnat.conf:

    map ip.tun0 feith-bb/32 -> feith-bb/32
    map ip.tun0 feith-bb-vpn/32 -> feith-bb-vpn/32

and try telnetting to feith-bb-vpn.
The enclosed patch to ip_fil.h fixes the problem.

*** ip_fil.h.ORIGINAL   Tue Jun  8 09:14:17 2004
--- ip_fil.h    Tue Oct 26 22:33:06 2004
*************** typedef struct  fr_ip   {
*** 233,239 ****
  #define       FI_FRAGTAIL     0x2000
  #define       FI_BADSRC       0x4000
  #define       FI_LOWTTL       0x8000
! #define       FI_CMP          0xcff3  /* Not FI_FRAG,FI_FRAGTAIL */
  #define       FI_ICMPCMP      0x0003  /* Flags we can check for ICMP error packets */
  #define       FI_WITH         0xeffe  /* Not FI_TCPUDP */
  #define       FI_V6EXTHDR     0x10000
--- 233,239 ----
  #define       FI_FRAGTAIL     0x2000
  #define       FI_BADSRC       0x4000
  #define       FI_LOWTTL       0x8000
! #define       FI_CMP          0xcfe3  /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */
  #define       FI_ICMPCMP      0x0003  /* Flags we can check for ICMP error packets */
  #define       FI_WITH         0xeffe  /* Not FI_TCPUDP */
  #define       FI_V6EXTHDR     0x10000

-- John
-------------------------------------------------------------------------
|   Feith Systems  |   Voice: 1-215-646-8000  |  Email: [EMAIL PROTECTED]  |
|    John Wehle    |     Fax: 1-215-540-5495  |                         |
-------------------------------------------------------------------------

Reply via email to