netbsd-bugs: kern/25999: IPnat "bimap" making bad translations in 2.0

Subject: kern/25999: IPnat "bimap" making bad translations in 2.0_BETA or 2.0F
To: None <gnats-bugs@gnats.NetBSD.org>
From: Jeff Rizzo <riz@boogers.sf.ca.us>
List: netbsd-bugs
Date: 06/21/2004 11:08:49
>Number:         25999
>Category:       kern
>Synopsis:       ipnat is corrupting "bimap" translations in 2.0_BETA and -current
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 21 18:09:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Jeff Rizzo
>Release:        NetBSD 2.0_BETA and 2.0F (20040613 source date)
>Organization:
Jeff Rizzo                                         http://www.redcrowgroup.com/
>Environment:
	
	
System: NetBSD boogers.sf.ca.us 2.0_BETA NetBSD 2.0_BETA (GENERIC) #0: Thu Jun 17 12:49:16 PDT 2004 riz@lychee.tastylime.net:/home/riz/buildobj/usr/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
	The "bimap" option seems to be generating incorrect translations.
My guess (without actually having looked through the source yet) is that
something is being corrupted, because a mapping (from my test 2.0F system)
like:

bimap fxp0 192.168.69.100/32 -> 10.0.5.100/32

is translating "10.0.5.100" into "202.200.48.32" for incoming connections.
(this seems to be flexible.  another time, it translated it to
"202.202.0.32", and another "202.198.144.32")

The way I am seeing this is from the log output of "ipmon".

>How-To-Repeat:

I initially saw this on a production system running 2.0_BETA, so I duplicated
it on a test machine running 2.0F (source of 20040613 or thereabouts).
The setup was as follows:

My LAN's network is 10.0.0.0/16, so fxp0 of the test system is on
that LAN, with two IP addresses: 10.0.0.100 and 10.0.5.100.  There
are two interfaces, fxp0 and fxp1, whose config is like this:

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:e0:81:02:b0:9a
        media: Ethernet autoselect (100baseTX full-duplex,flowcontrol,rxpause,txpause)
        status: active
        inet 10.0.0.100 netmask 0xffff0000 broadcast 10.0.255.255
        inet alias 10.0.5.100 netmask 0xffff0000 broadcast 10.0.255.255
        inet6 fe80::2e0:81ff:fe02:b09a%fxp0 prefixlen 64 scopeid 0x1
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:e0:81:02:b0:9b
        media: Ethernet autoselect (none flowcontrol,rxpause,txpause)
        status: no carrier
        inet 192.168.69.1 netmask 0xffffff00 broadcast 192.168.69.255
        inet6 fe80::2e0:81ff:fe02:b09b%fxp1 prefixlen 64 scopeid 0x2

(note that fxp1 doesn't actually need to be connected, but it doesn't
matter if it is)

/etc/ipf.conf looks like:
pass in quick on fxp0 proto tcp from any to 10.0.0.100/32
pass in quick on fxp0 proto udp from any to 10.0.0.100/32
pass in quick on fxp0 proto icmp from any to 10.0.0.100/32
pass out quick on fxp0 proto tcp from any to any keep state keep frags
pass out quick on fxp0 proto udp from any to any keep state keep frags
pass out quick on fxp0 proto icmp from any to any keep state keep frags
block in log level auth.info quick on fxp0 all

/etc/ipnat.conf looks like:
bimap fxp0 192.168.69.100/32 -> 10.0.5.100/32

I started ipf, ipnat and ipmon like so:

/etc/rc.d/ipf forcestart
/etc/rc.d/ipnat forcestart
/etc/rc.d/ipmon forcestart

This makes denied packets log to /var/log/authlog under the default setup.

When I get on another machine on the LAN (10.0.0.10 in this case), and
do the following:

%  telnet 10.0.5.100 1779

the following appears in /var/log/authlog on the system under test:

Jun 21 11:05:50 md5test ipmon[628]: 11:05:49.759749 fxp0 @0:4 b 10.0.0.10,58001 -> 202.200.56.32,1779 PR tcp len 20 60 -S IN NAT 
Jun 21 11:05:56 md5test ipmon[628]: 11:05:55.754782 fxp0 @0:4 b 10.0.0.10,58001 -> 202.200.56.32,1779 PR tcp len 20 60 -S IN NAT 
Jun 21 11:06:07 md5test ipmon[628]: 11:06:07.752125 fxp0 @0:4 b 10.0.0.10,58001 -> 202.200.56.32,1779 PR tcp len 20 60 -S IN NAT 


As you can see, what should appear as "192.168.69.100" appears as
"202.200.56.32".

This is bad (tm). :)
>Fix:
  No fix known, yet.  I'm going to poke around the ipnat code and
see if I can find anything obvious, but I'm completely unfamiliar
with it.  Perhaps someone else will beat me to it...
>Release-Note:
>Audit-Trail:
>Unformatted: