Project

General

Profile

Actions

Bug #193

closed

NAT reflection duplicate entries

Added by Chris Buechler about 15 years ago. Updated almost 15 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
11/29/2009
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

(confirmed in 2.0 and moved from cvstrac)

Hi, the problem is with automatic NAT reflection.

Everytime you add a nat rule, the nat reflection rule in inetd.conf is created N times where N is the number of interface assigned.

this is an example of inetd.conf with two rules for HTTP and HTTPS webserver on a machine with six itnerface:

19001 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19003 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19004 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19005 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19006 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19007 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19008 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19009 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19010 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19011 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19012 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443

The system adds the same line in inetd.conf for the number of interface that you have configured.

I've six interface then i get six lines with same content, on another test machine with two interface i get two line with same content.


Files

Actions #1

Updated by Scott Ullrich about 15 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
Actions #2

Updated by Erik Fonnesbeck almost 15 years ago

After some of the restructuring of NAT reflection and subsequent fixes, this has regressed and it currently does this again.

The attached patch builds a list of the interfaces to put on a single rdr rule instead of making multiple entries and only adds the lines to inetd.conf once instead of duplicating for each interface.

Note: the patch may look messier here than it really is. Excluding whitespace changes because of reducing the indent level, there are really very few changed lines.

Actions #3

Updated by Chris Buechler almost 15 years ago

  • Status changed from Resolved to New
  • Priority changed from Low to Normal
Actions #4

Updated by Ermal Luçi almost 15 years ago

  • Status changed from New to Feedback

Committed fix based on yours.
Thanks.

Actions #5

Updated by Chris Buechler almost 15 years ago

  • Status changed from Feedback to Resolved

fixed

Actions

Also available in: Atom PDF