Bug 33371

Summary:	ipnat(5) requires mapped-to port in rdr rules
Product:	Documentation	Reporter:	Matthew Whelan <muttley>
Component:	Books & Articles	Assignee:	guido
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	Latest
Hardware:	Any
OS:	Any

Description Matthew Whelan 2001-12-31 05:10:01 UTC

The ipnat(5) man page is inconsistent with actual behaviour for redirection (rdr) rules.

From ipnat(5):


    redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options

and

    options ::= [ tcpudp ] [ rr ]

But if you try to omit the [ ports ]:

    root@ericnernie# ipnat -n -f -
    rdr tun0 0/32 port 7010-7019 -> 192.168.0.3
    1: No netmask supported in destination host for redirect
    1: syntax error in "rdr"
    rdr tun0 0/32 port 7010-7019 -> 192.168.0.3 tcp
    2: missing fields - 2nd port (tcp)
    2: syntax error in "rdr"
    rdr tun0 0/32 port 7010-7019 -> 192.168.0.3 port 7010 tcp

Fix: 

Amend the manpage so that

   redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options

reads as
   redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] ports options
How-To-Repeat: N/A

Comment 1 ipnat.diff 2001-12-31 15:33:12 UTC

please try this patch (I hope this sends using this program LOL, if not i'll resubmit)

Comment 2 darklogik 2001-12-31 15:45:58 UTC

*** ipnat.5	Mon Dec 31 10:27:35 2001
--- ipnat.5.new	Mon Dec 31 10:26:18 2001
***************
*** 10,16 ****
  map ::= mapit ifname ipmask "->" ipmask [ mapport ] .
  map ::= mapit ifname fromto "->" ipmask [ mapport ] .
  mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
! redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options .
  
  dport ::= "port" portnum [ "-" portnum ] .
  ports ::= "ports" numports | "auto" .
--- 10,16 ----
  map ::= mapit ifname ipmask "->" ipmask [ mapport ] .
  map ::= mapit ifname fromto "->" ipmask [ mapport ] .
  mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
! redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] ports options . 
  
  dport ::= "port" portnum [ "-" portnum ] .
  ports ::= "ports" numports | "auto" .

Comment 3 ru freebsd_committer

2002-01-09 09:32:04 UTC

Responsible Changed
From-To: freebsd-doc->guido

Guido, could you please look into it?

Comment 4 guido freebsd_committer

2002-01-10 11:26:08 UTC

State Changed
From-To: open->feedback

In ipf-3.4-current, a fix is in place. I want to wait until 
the release based on that version is imported. 

Btw: the patch in the PR is not completely riht. 
This is what it should have been: 
-redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options . 
+redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options . 
+rdrport ::= "port" portnum .

Comment 5 Tom Rhodes freebsd_committer

2002-08-27 01:16:43 UTC

State Changed
From-To: feedback->closed

As the original patch submitter, I've just checked the ipnat(5) manual page 
on my STABLE box and this has been fixed.  Thanks!