>Number: 171279
>Category: bin
>Synopsis: bsnmpd can reply from other address
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 03 14:50:04 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Konstantin Kukushkin
>Release: FreeBSD 9.0-STABLE amd64
>Organization:
Rambler Internet Holding, LLC
>Environment:
System: FreeBSD vpn1-m1.rambler.ru 9.0-STABLE FreeBSD 9.0-STABLE #2 r231584M:
Mon Feb 13 18:24:25 MSK 2012
gleb...@vpn1-m1.rambler.ru:/usr/obj/usr/home/glebius/9/sys/VPN amd64
>Description:
bsnmpd by default listen INADDR_ANY, and on multihomed system daemon
can receive queries to some addresses.
When replying to query bsdnmp simply use sendto(), so OS build response
datagram with source ip nearest to sender, which can be not equal to
destination ip on source query.
This is ok for net-snmp utils like snmpget & snmpwalk, but this can't work with
statefull firewalls like ipfw(4) or pf(4).
Please fix it.
>How-To-Repeat:
I used multihomed host vpn1-m1:
[pts/2] dark@vpn1-m1:~> ( ifconfig bge0 inet ; ifconfig lo0 inet )|grep inet
inet 81.19.94.147 netmask 0xfffffff8 broadcast 81.19.94.151
inet 127.0.0.1 netmask 0xff000000
inet 81.19.64.133 netmask 0xffffffff
inet 81.19.79.1 netmask 0xffffffff
with ``onestarted`` bsnmpd:
[pts/2] dark@vpn1-m1:~> sudo /etc/rc.d/bsnmpd onestart
Starting bsnmpd.
[pts/2] dark@vpn1-m1:~> sockstat | grep 'bsnmpd.*161'
root bsnmpd 38365 6 udp4 *:161 *:*
and other host for query to address, routed to vpn1-m1:
[pts/53] dark@dark:~> ifconfig re0 inet|grep inet
inet 81.19.64.109 netmask 0xffffffe0 broadcast 81.19.64.127
[pts/53] dark@dark:~> snmpget -v 2c -c public 81.19.64.133 sysDescr.0
Timeout: No Response from 81.19.64.133.
tcpdump on multihomed host shows that bsnmpd reply from source other that query
destination:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:17:16.007788 IP 81.19.64.109.60689 > 81.19.64.133.161: GetRequest(28)
.1.3.6.1.2.1.1.1.0
15:17:16.008005 IP 81.19.94.147.161 > 81.19.64.109.60689: GetResponse(76)
.1.3.6.1.2.1.1.1.0="vpn1-m1.rambler.ru 4212937669 FreeBSD 9.0-STABLE"
>Fix:
Other udp servers like named try to create listen socket bind()'ed on adresses
from getifaddrs() output, not INADDR_ANY. While daemon receiving query on
bind()'ed socket it knows on which address query was sent, and can reply right.
Unfortunately I don't know any other mechanism getting datagram destination
address in FreeBSD, in Linux there is 'IP_PKTINFO' socket option for this.
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
