2020447 IPFilter's NAT can undo name server random port selection

Approved by: darrenr MFC after: 1 week Security: CERT VU#521769
author: darrenr <darrenr@FreeBSD.org> 2008-07-24 12:35:05 +0000
committer: darrenr <darrenr@FreeBSD.org> 2008-07-24 12:35:05 +0000
commit: 49ad2adb91673def2dfa0f293612e2de5e3a29af (patch)
tree: fbe3003abde766264fafdbbd7e484eafc5be4ad5 /contrib/ipfilter
parent: 308672b0059651d854c35e673c94d0f76d84c25f (diff)
download: FreeBSD-src-49ad2adb91673def2dfa0f293612e2de5e3a29af.zip
FreeBSD-src-49ad2adb91673def2dfa0f293612e2de5e3a29af.tar.gz
11 files changed, 40 insertions, 15 deletions
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index a3efa87..0694a75 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -801,3 +801,18 @@ int ipfsync()
 {
 	return 0;
 }
+
+
+u_32_t ipf_random()
+{
+	static int seeded = 0;
+
+	/*
+	 * Choose a non-random seed so that "randomness" can be "tested."
+	 */
+	if (seeded == 0) {
+		srand(0);
+		seeded = 1;
+	}
+	return rand();
+}
diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c
index 0dd96b8..22ef71f 100644
--- a/contrib/ipfilter/ipsend/iptests.c
+++ b/contrib/ipfilter/ipsend/iptests.c
@@ -24,6 +24,7 @@ typedef	int	boolean_t;
 #if !defined(__osf__)
 # ifdef __NetBSD__ 
 #  include <machine/lock.h>
+#  include <machine/mutex.h>
 # endif
 # define _KERNEL
 # define KERNEL
diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c
index 7d0157c..dcff6eb 100644
--- a/contrib/ipfilter/ipsend/sock.c
+++ b/contrib/ipfilter/ipsend/sock.c
@@ -32,6 +32,7 @@ typedef int     boolean_t;
 #if !defined(__osf__)
 # ifdef __NetBSD__ 
 #  include <machine/lock.h>
+#  include <machine/mutex.h>
 # endif
 # ifdef __FreeBSD__
 #  define _WANT_FILE
diff --git a/contrib/ipfilter/lib/printnat.c b/contrib/ipfilter/lib/printnat.c
index 62942ce..39c43ca 100644
--- a/contrib/ipfilter/lib/printnat.c
+++ b/contrib/ipfilter/lib/printnat.c
@@ -217,6 +217,8 @@ int opts;
 			putchar(' ');
 			printproto(pr, np->in_p, np);
 		}
+		if (np->in_flags & IPN_SEQUENTIAL)
+			printf(" sequential");
 		printf("\n");
 		if (opts & OPT_DEBUG) {
 			struct in_addr nip;
diff --git a/contrib/ipfilter/test/regress/n12 b/contrib/ipfilter/test/regress/n12
index 225675b..933856b 100644
--- a/contrib/ipfilter/test/regress/n12
+++ b/contrib/ipfilter/test/regress/n12
@@ -1 +1 @@
-map le0 192.168.126.0/24 -> 0/32 portmap tcp/udp 10000:20000
+map le0 192.168.126.0/24 -> 0/32 portmap tcp/udp 10000:20000 sequential
diff --git a/contrib/ipfilter/test/regress/n2 b/contrib/ipfilter/test/regress/n2
index dbce5aa..39a4d72 100644
--- a/contrib/ipfilter/test/regress/n2
+++ b/contrib/ipfilter/test/regress/n2
@@ -1,4 +1,4 @@
-map zx0 10.1.1.1/32 -> 10.2.2.2/32 portmap tcp 10000:20000
-map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000
-map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000
-map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001
+map zx0 10.1.1.1/32 -> 10.2.2.2/32 portmap tcp 10000:20000 sequential
+map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 sequential
+map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 sequential
+map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 sequential
diff --git a/contrib/ipfilter/test/regress/n5 b/contrib/ipfilter/test/regress/n5
index e55cea0..d9f1a88 100644
--- a/contrib/ipfilter/test/regress/n5
+++ b/contrib/ipfilter/test/regress/n5
@@ -1,6 +1,6 @@
 map zx0 10.1.1.1/32 -> 10.2.2.2/32
 map zx0 from 10.1.1.0/24 to 10.1.0.0/16 -> 10.3.4.5/32
 map zx0 from 10.1.1.0/24 ! to 10.1.0.0/16 -> 10.3.4.0/24
-map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000
-map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000
-map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001
+map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 sequential
+map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 sequential
+map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 sequential
diff --git a/contrib/ipfilter/test/regress/ni1.nat b/contrib/ipfilter/test/regress/ni1.nat
index f38e435..077aab1 100644
--- a/contrib/ipfilter/test/regress/ni1.nat
+++ b/contrib/ipfilter/test/regress/ni1.nat
@@ -1,3 +1,3 @@
-map df0 from 2.2.2.2/32 port 20000 >< 25000 to any -> 6.6.6.8/32 portmap udp 2000:2500
-map df0 from 2.2.2.2/32 port 2000 >< 2500 to any -> 6.6.6.7/32 portmap udp 20000:25000
+map df0 from 2.2.2.2/32 port 20000 >< 25000 to any -> 6.6.6.8/32 portmap udp 2000:2500 sequential
+map df0 from 2.2.2.2/32 port 2000 >< 2500 to any -> 6.6.6.7/32 portmap udp 20000:25000 sequential
 map df0 from 2.2.2.2/32 to any -> 6.6.6.6/32
diff --git a/contrib/ipfilter/test/regress/ni2.nat b/contrib/ipfilter/test/regress/ni2.nat
index 4ad73c2..43d2c83 100644
--- a/contrib/ipfilter/test/regress/ni2.nat
+++ b/contrib/ipfilter/test/regress/ni2.nat
@@ -1 +1 @@
-map xl0 10.0.0.0/8 -> 1.1.1.1/32 portmap tcp/udp 40000:60000
+map xl0 10.0.0.0/8 -> 1.1.1.1/32 portmap tcp/udp 40000:60000 sequential
diff --git a/contrib/ipfilter/test/regress/ni4.nat b/contrib/ipfilter/test/regress/ni4.nat
index 6eefdc2..e9d5cc1 100644
--- a/contrib/ipfilter/test/regress/ni4.nat
+++ b/contrib/ipfilter/test/regress/ni4.nat
@@ -1 +1 @@
-map df0 2.2.2.2/32 -> 6.6.6.6/32 portmap tcp/udp 40000:60000
+map df0 2.2.2.2/32 -> 6.6.6.6/32 portmap tcp/udp 40000:60000 sequential
diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y
index cce717d..7109f60 100644
--- a/contrib/ipfilter/tools/ipnat_y.y
+++ b/contrib/ipfilter/tools/ipnat_y.y
@@ -95,7 +95,7 @@ static	void	setnatproto __P((int));
 %token	IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY
 %token	IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY
 %token	IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG
-%token	IPNY_TLATE
+%token	IPNY_TLATE IPNY_SEQUENTIAL
 %type	<port> portspec
 %type	<num> hexnumber compare range proto
 %type	<ipa> hostname ipv4
@@ -422,11 +422,11 @@ otherifname:
 	;
 
 mapport:
-	IPNY_PORTMAP tcpudp portspec ':' portspec
+	IPNY_PORTMAP tcpudp portspec ':' portspec randport
 			{ nat->in_pmin = htons($3);
 			  nat->in_pmax = htons($5);
 			}
-	| IPNY_PORTMAP tcpudp IPNY_AUTO
+	| IPNY_PORTMAP tcpudp IPNY_AUTO randport
 			{ nat->in_flags |= IPN_AUTOPORTMAP;
 			  nat->in_pmin = htons(1024);
 			  nat->in_pmax = htons(65535);
@@ -446,6 +446,10 @@ mapport:
 			}
 	;
 
+randport:
+	| IPNY_SEQUENTIAL	{ nat->in_flags |= IPN_SEQUENTIAL; }
+	;
+
 sobject:
 	saddr
 	| saddr port portstuff	{ nat->in_sport = $3.p1;
@@ -519,6 +523,7 @@ rdroptions:
 nattag:	| IPNY_TAG YY_STR		{ strncpy(nat->in_tag.ipt_tag, $2,
 						  sizeof(nat->in_tag.ipt_tag));
 					}
+
 rr:	| IPNY_ROUNDROBIN		{ nat->in_flags |= IPN_ROUNDR; }
 	;
 
@@ -647,6 +652,7 @@ static	wordtab_t	yywords[] = {
 	{ "range",	IPNY_RANGE },
 	{ "rdr",	IPNY_RDR },
 	{ "round-robin",IPNY_ROUNDROBIN },
+	{ "sequential",	IPNY_SEQUENTIAL },
 	{ "sticky",	IPNY_STICKY },
 	{ "tag",	IPNY_TAG },
 	{ "tcp",	IPNY_TCP },
author	darrenr <darrenr@FreeBSD.org>	2008-07-24 12:35:05 +0000
committer	darrenr <darrenr@FreeBSD.org>	2008-07-24 12:35:05 +0000
commit	49ad2adb91673def2dfa0f293612e2de5e3a29af (patch)
tree	fbe3003abde766264fafdbbd7e484eafc5be4ad5 /contrib/ipfilter
parent	308672b0059651d854c35e673c94d0f76d84c25f (diff)
download	FreeBSD-src-49ad2adb91673def2dfa0f293612e2de5e3a29af.zip FreeBSD-src-49ad2adb91673def2dfa0f293612e2de5e3a29af.tar.gz