>Number:         11569
>Category:       kern
>Synopsis:       ipnat only allows one operation
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 26 08:08:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Havard Eidnes
>Release:        1.4.3
>Organization:
	RUNIT AS
>Environment:
System: NetBSD orre.runit.no 1.4.3 NetBSD 1.4.3 (ORRE) #6: Sun Oct 29 13:35:01 MET 2000 he@orre.runit.no:/usr/src/sys/arch/hp300/compile/ORRE hp300


>Description:
	Enabling ipnat with "ipnat -f /etc/ipnat.conf" and where
	the /etc/ipnat.conf file containins

map le0 10.186.195.0/24 -> 129.241.196.118/32 portmap tcp/udp 40000:65000
map le0 10.186.195.0/24 -> 129.241.196.118/32

	results in

IP Filter: initialized.  Default = pass all, Logging = disabled
IP Filter: v3.3.6

	but also

IP Filter: already initialized

	What appears to have happened is that the last of the IPNAT rules
	have not been installed.

	Any later run of "ipnat -l" results in an error:

orre# ipnat -l
ioctl(SIOCGNATS): Device busy
orre# 

	and another logged line saying

IP Filter: already initialized

	"Of course it's already initialized".  However, that should not
	prevent other ipnat commands from working, or the addition of new
	rules!

>How-To-Repeat:
	See above.

>Fix:

	On the face of it, it seems that this should fix the problem
	(i.e. I've not tested this at submit time, but will shortly):

diff -u -r1.34.2.4 ip_fil.c
--- ip_fil.c    2000/08/09 18:07:45     1.34.2.4
+++ ip_fil.c    2000/11/26 15:51:55
@@ -436,7 +436,7 @@
                 * Since the default rule is to pass all packets,
                 * this shouldn't cause any noticeable side-effects.
                 */
-               if (fr_running == 0) {
+               if (ipl_inited == 0) {
 #if defined(_KERNEL)
                        error = ipl_enable();
 #else
>Release-Note:
>Audit-Trail:
>Unformatted: