rc.firewall does not check whether natd_interface is an address when setting up rules for natd. Not all cases of natd can be dealt with since natd.conf can contain more address, but this seems like a reasonable change. Fix: My change to OPEN is questionable, but I don't use the open firewall rule so I just put something in. My change to SIMPLE is based on the user entered values for oif, inet, and imask. My fw is based on SIMPLE and I have tested it to see that it works. --- rc.firewall.orig Tue Sep 16 14:49:31 2003 +++ rc.firewall Tue Sep 16 14:46:27 2003 @@ -121,7 +121,13 @@ case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then - ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} + if echo ${natd_interface} | \ + grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then + ${fwcmd} add 50 divert natd all from any to ${natd_interface} in + ${fwcmd} add 50 divert natd all from not ${natd_interface} to any out + else + ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} + fi fi ;; esac @@ -236,7 +242,13 @@ case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then - ${fwcmd} add divert natd all from any to any via ${natd_interface} + if echo ${natd_interface} | \ + grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then + ${fwcmd} add divert natd all from any to ${natd_interface} in via ${oif} + ${fwcmd} add divert natd all from ${inet}:${imask} to any out via ${oif} + else + ${fwcmd} add divert natd all from any to any via ${natd_interface} + fi fi ;; esac
Class Changed From-To: sw-bug->change-request This is a change-request (according to the original submission).
Responsible Changed From-To: gnats-admin->freebsd-bugs Reassign misfiled PR.
Responsible Changed From-To: freebsd-bugs->freebsd-rc Over to maintainer(s).
State Changed From-To: open->feedback I'm not convinced that this is an actual problem-- are you saying that the value of natd_interface isn't checked for sanity? For the sake of speed it's better to assume that the correct values are put into rc.conf, but is there a disastrous side effect that I'm missing if the value is incorrect?
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
"ipfw divert natd all from any to any via ${natd_interface}" is quite correct rule for natd_interface being IP address and "via" keyword processes IP address correctly as documented in ipfw(8) manual page. No patches necessary.