Project

General

Profile

Bug #193

NAT reflection duplicate entries

Added by Chris Buechler over 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
11/29/2009
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

(confirmed in 2.0 and moved from cvstrac)

Hi, the problem is with automatic NAT reflection.

Everytime you add a nat rule, the nat reflection rule in inetd.conf is created N times where N is the number of interface assigned.

this is an example of inetd.conf with two rules for HTTP and HTTPS webserver on a machine with six itnerface:

19001 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19003 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19004 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19005 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19006 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19007 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19008 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19009 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19010 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19011 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19012 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443

The system adds the same line in inetd.conf for the number of interface that you have configured.

I've six interface then i get six lines with same content, on another test machine with two interface i get two line with same content.

Associated revisions

Revision b93a3dd5 (diff)
Added by Scott Ullrich over 9 years ago

Do not allow duplicate netcat reflection entries. Resolves #193

Revision 01fa26e8 (diff)
Added by Ermal Luçi over 9 years ago

Ticket #193. Reduce number of lines created for reflection in inetd and lines of rdr created on ruleset. Hints-from: Erik Fonnesbeck

History

#1 Updated by Scott Ullrich over 9 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Erik Fonnesbeck over 9 years ago

After some of the restructuring of NAT reflection and subsequent fixes, this has regressed and it currently does this again.

The attached patch builds a list of the interfaces to put on a single rdr rule instead of making multiple entries and only adds the lines to inetd.conf once instead of duplicating for each interface.

Note: the patch may look messier here than it really is. Excluding whitespace changes because of reducing the indent level, there are really very few changed lines.

#3 Updated by Chris Buechler over 9 years ago

  • Status changed from Resolved to New
  • Priority changed from Low to Normal

#4 Updated by Ermal Luçi over 9 years ago

  • Status changed from New to Feedback

Committed fix based on yours.
Thanks.

#5 Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF