There appears to be a bug in the printnat() function of
ipfilter (v3.4.31 and earlier)
Line 402 of printnat.c:
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
The above statement swaps the bytes in np->in_nextip and the byte order is
never restored. If new_nat() is called anytime after these bytes
have been swapped, then a byte swapped copy of the IP addr is stored in
the nat lookup table. Any attempts to do nat afterwards, will fail.
The only place that np->in_nextip is used in this file, is at
line 476:
printf("\tspace %lu nextip %s pnext %d", np->in_space,
inet_ntoa(np->in_nextip), np->in_pnext);
I fixed the problem in my code, by commenting out line 402 and
changing line 476 to store the byte swapped address in a local variable.
/* save the swapped byte copy of np->in_nextip to a local struct and
** then printout the local copy */
struct in_addr nip;
nip.s_addr = htonl(np->in_nextip.s_addr);
printf("\tspace %lu nextip %s pnext %d", np->in_space,
/* inet_ntoa(np->in_nextip) */ inet_ntoa(nip), np->in_pnext);
I'm in the middle of porting ipfilter to run on another OS, so I don't
know if this is a problem with the supported OS's or not, but thought
I'd share this, just in case.
Thanks,
- Scott
