Bug 26038
| Summary: | libfetch does not use IP_PORTRANGE_HIGH by default | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | peter <peter> | ||||
| Component: | bin | Assignee: | Dag-Erling Smørgrav <des> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 5.0-CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Responsible Changed From-To: freebsd-bugs->des MAINTAINER=des State Changed From-To: open->closed Fixed in -CURRENT and -STABLE. |
The old fetch(1)/libftpio library unconditionally used the RFC sanctioned high port range. This space is intentionally intended to be used so that proxy libraries can rewrite the PORT tcp packets on data streams on NATs, and so that firewalls have a safe target range that can allow incoming connections that is free from the ephemeral ports that are used by things like rpc services. The new fetch/libfetch has regressed to requiring an option to use this. Fix: Minimal fix, minus man page and some comment updates. How-To-Repeat: Old code (unconditional use of IP_PORTRANGE_HIGH): portrange = IP_PORTRANGE_HIGH; if (setsockopt(s, IPPROTO_IP, IP_PORTRANGE, (char *) &portrange, sizeof(portrange)) < 0) { close(s); return FAILURE; }; New code (broken): high = CHECK_FLAG('h'); arg = high ? IP_PORTRANGE_HIGH : IP_PORTRANGE_DEFAULT; if (setsockopt(sd, IPPROTO_IP, IP_PORTRANGE, (char *)&arg, sizeof arg) == -1) goto sysouch; break; (where the 'h' flag is off by default :-( )