/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ To michael best The patch modifies ip_forward.c. What errors are you getting. Try downloading the patch from http://www.com.org/~michabes/masq-demasq.zip Run the patch command from /usr/src. Also make sure you use the "-l -p0" options. If it still doesn't work, email me the errors; or you can just send my your ip_forward.c and I'll change it manually for you. -- Michael Best The errors are rejecting part of the patch.. The following is the ip.forward.c /* * INET An implementation of the TCP/IP protocol suite for the LINUX * operating system. INET is implemented using the BSD Socket * interface as the means of communication with the user level. * * The IP forwarding functionality. * * Version: $Id: ip_forward.c,v 1.43 1999/03/21 05:22:37 davem Exp $ * * Authors: see ip.c * * Fixes: * Many : Split from ip.c , see ip_input.c for * history. * Dave Gregorich : NULL ip_rt_put fix for multicast * routing. * Jos Vos : Add call_out_firewall before sending, * use output device for accounting. * Jos Vos : Call forward firewall after routing * (always use output device). * Mike McLagan : Routing by source */ #include <linux/config.h> #include <linux/types.h> #include <linux/mm.h> #include <linux/sched.h> #include <linux/skbuff.h> #include <linux/ip.h> #include <linux/icmp.h> #include <linux/netdevice.h> #include <net/sock.h> #include <net/ip.h> #include <net/tcp.h> #include <net/udp.h> #include <net/icmp.h> #include <linux/tcp.h> #include <linux/udp.h> #include <linux/firewall.h> #include <linux/ip_fw.h> #ifdef CONFIG_IP_MASQUERADE #include <net/ip_masq.h> #endif #include <net/checksum.h> #include <linux/route.h> #include <net/route.h> #ifdef CONFIG_IP_TRANSPARENT_PROXY /* * Check the packet against our socket administration to see * if it is related to a connection on our system. * Needed for transparent proxying. */ int ip_chksock(struct sk_buff *skb) { switch (skb->nh.iph->protocol) { case IPPROTO_ICMP: return icmp_chkaddr(skb); case IPPROTO_TCP: return tcp_chkaddr(skb); case IPPROTO_UDP: return udp_chkaddr(skb); default: return 0; } } #endif int ip_forward(struct sk_buff *skb) { struct device *dev2; /* Output device */ struct iphdr *iph; /* Our header */ struct rtable *rt; /* Route we use */ struct ip_options * opt = &(IPCB(skb)->opt); unsigned short mtu; #if defined(CONFIG_FIREWALL) || defined(CONFIG_IP_MASQUERADE) int fw_res = 0; #endif if (IPCB(skb)->opt.router_alert && ip_call_ra_chain(skb)) return 0; if (skb->pkt_type != PACKET_HOST) goto drop; /* * According to the RFC, we must first decrease the TTL field. If * that reaches zero, we must reply an ICMP control message telling * that the packet's lifetime expired. */ iph = skb->nh.iph; rt = (struct rtable*)skb->dst; #ifdef CONFIG_CPU_IS_SLOW if (net_cpu_congestion > 1 && !(iph->tos&IPTOS_RELIABILITY) && IPTOS_PREC(iph->tos) < IPTOS_PREC_INTERNETCONTROL) { if (((xtime.tv_usec&0xF)<<net_cpu_congestion) > 0x1C) goto drop; } #endif #ifdef CONFIG_IP_TRANSPARENT_PROXY if (ip_chksock(skb)) goto local_pkt; #endif if (iph->ttl <= 1) goto too_many_hops; if (opt->is_strictroute && rt->rt_dst != rt->rt_gateway) goto sr_failed; /* * Having picked a route we can now send the frame out * after asking the firewall permission to do so. */ skb->priority = rt_tos2priority(iph->tos); dev2 = rt->u.dst.dev; mtu = rt->u.dst.pmtu; #ifdef CONFIG_NET_SECURITY call_fw_firewall(PF_SECURITY, dev2, NULL, &mtu, NULL); #endif /* * We now generate an ICMP HOST REDIRECT giving the route * we calculated. */ if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr) ip_rt_send_redirect(skb); /* We are about to mangle packet. Copy it! */ if ((skb = skb_cow(skb, dev2->hard_header_len)) == NULL) return -1; iph = skb->nh.iph; opt = &(IPCB(skb)->opt); /* Decrease ttl after skb cow done */ ip_decrease_ttl(iph); /* * We now may allocate a new buffer, and copy the datagram into it. * If the indicated interface is up and running, kick it. */ if (skb->len > mtu && (ntohs(iph->frag_off) & IP_DF)) goto frag_needed; #ifdef CONFIG_IP_ROUTE_NAT if (rt->rt_flags & RTCF_NAT) { if (ip_do_nat(skb)) { kfree_skb(skb); return -1; } } #endif #ifdef CONFIG_IP_MASQUERADE if(!(IPCB(skb)->flags&IPSKB_MASQUERADED)) { /* * Check that any ICMP packets are not for a * masqueraded connection. If so rewrite them * and skip the firewall checks */ if (iph->protocol == IPPROTO_ICMP) { __u32 maddr; #ifdef CONFIG_IP_MASQUERADE_ICMP struct icmphdr *icmph = (struct icmphdr *)((char*)iph + (iph->ihl << 2)); if ((icmph->type==ICMP_DEST_UNREACH)|| (icmph->type==ICMP_SOURCE_QUENCH)|| (icmph->type==ICMP_TIME_EXCEEDED)) { #endif maddr = inet_select_addr(dev2, rt->rt_gateway, RT_SCOPE_UNIVERSE); fw_res = ip_fw_masq_icmp(&skb, maddr); if (fw_res < 0) { kfree_skb(skb); return -1; } if (fw_res) /* ICMP matched - skip firewall */ goto skip_call_fw_firewall; #ifdef CONFIG_IP_MASQUERADE_ICMP } #endif } if (rt->rt_flags&RTCF_MASQ) goto skip_call_fw_firewall; } /* MDB 2/3/00 */ #endif /* CONFIG_IP_MASQUERADE */ #ifdef CONFIG_FIREWALL fw_res=call_fw_firewall(PF_INET, dev2, iph, NULL, &skb); /* MDB 2/4/00: If packet was de-masqed, accept it (we only care * about the FW_MASQUERADE flag later) */ if(!(IPCB(skb)->flags&IPSKB_MASQUERADED)) { switch (fw_res) { case FW_ACCEPT: case FW_MASQUERADE: break; case FW_REJECT: icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); /* fall thru */ default: kfree_skb(skb); return -1; } } #endif #ifdef CONFIG_IP_MASQUERADE /* } MDB 2/3/00 */ skip_call_fw_firewall: /* * If this fragment needs masquerading, make it so... * (Don't masquerade de-masqueraded fragments) * MDB 2/3/00 -replaced if statement : do masq demasqed packeds */ /*if (!(IPCB(skb)->flags&IPSKB_MASQUERADED) && (fw_res==FW_MASQUERADE || rt->rt_flags&RTCF_MASQ)) { {*/ if (fw_res==FW_MASQUERADE || (!(IPCB (skb) ->flags&IPSKB_MASQUERADED) && rt->rt_flags&RTCF_MASQ)) { u32 maddr = 0; #ifdef CONFIG_IP_ROUTE_NAT maddr = (rt->rt_flags&RTCF_MASQ) ? rt->rt_src_map : 0; if (maddr == 0) #endif maddr = inet_select_addr(dev2, rt->rt_gateway, RT_SCOPE_UNIVERSE); if (ip_fw_masquerade(&skb, maddr) < 0) { kfree_skb(skb); return -1; } else { /* * Masquerader may have changed skb */ iph = skb->nh.iph; opt = &(IPCB(skb)->opt); } } #endif #ifdef CONFIG_FIREWALL if ((fw_res = call_out_firewall(PF_INET, dev2, iph, NULL,&skb)) < FW_ACCEPT) { /* FW_ACCEPT and FW_MASQUERADE are treated equal: masquerading is only supported via forward rules */ if (fw_res == FW_REJECT) icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); kfree_skb(skb); return -1; } #endif ip_statistics.IpForwDatagrams++; if (opt->optlen == 0) { #ifdef CONFIG_NET_FASTROUTE if (rt->rt_flags&RTCF_FAST && !netdev_fastroute_obstacles) { unsigned h = ((*(u8*)&rt->key.dst)^(*(u8*)&rt->key.src))&NETDEV_FASTROUTE_HMASK; /* Time to switch to functional programming :-) */ dst_release_irqwait(xchg(&skb->dev->fastpath[h], dst_clone(&rt->u.dst))); } #endif ip_send(skb); return 0; } ip_forward_options(skb); ip_send(skb); return 0; #ifdef CONFIG_IP_TRANSPARENT_PROXY local_pkt: return ip_local_deliver(skb); #endif frag_needed: ip_statistics.IpFragFails++; icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); goto drop; sr_failed: /* * Strict routing permits no gatewaying */ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_SR_FAILED, 0); goto drop; too_many_hops: /* Tell the sender its packet died... */ icmp_send(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0); drop: kfree_skb(skb); return -1; } ---------------------- this bellow is the rejected ip.forward.c.rej *************** *** 191,200 **** } if (rt->rt_flags&RTCF_MASQ) goto skip_call_fw_firewall; #endif /* CONFIG_IP_MASQUERADE */ #ifdef CONFIG_FIREWALL fw_res=call_fw_firewall(PF_INET, dev2, iph, NULL, &skb); switch (fw_res) { case FW_ACCEPT: case FW_MASQUERADE: --- 191,204 ---- } if (rt->rt_flags&RTCF_MASQ) goto skip_call_fw_firewall; + } /* MDB 2/3/00 */ #endif /* CONFIG_IP_MASQUERADE */ #ifdef CONFIG_FIREWALL fw_res=call_fw_firewall(PF_INET, dev2, iph, NULL, &skb); + /* MDB 2/4/00: If packet was de-masqed, accept it (we only care + * about the FW_MASQUERADE flag later) */ + if(!(IPCB(skb)->flags&IPSKB_MASQUERADED)) { switch (fw_res) { case FW_ACCEPT: case FW_MASQUERADE: *************** *** 206,223 **** kfree_skb(skb); return -1; } #endif #ifdef CONFIG_IP_MASQUERADE - } skip_call_fw_firewall: /* * If this fragment needs masquerading, make it so... * (Don't masquerade de-masqueraded fragments) */ - if (!(IPCB(skb)->flags&IPSKB_MASQUERADED) && - (fw_res==FW_MASQUERADE || rt->rt_flags&RTCF_MASQ)) { u32 maddr = 0; #ifdef CONFIG_IP_ROUTE_NAT --- 210,231 ---- kfree_skb(skb); return -1; } + } #endif #ifdef CONFIG_IP_MASQUERADE + /*} MDB 2/3/00 */ skip_call_fw_firewall: /* * If this fragment needs masquerading, make it so... * (Don't masquerade de-masqueraded fragments) + * MDB 2/3/00 - replaced if statement: do masq de-masqed packets */ + /*if (!(IPCB(skb)->flags&IPSKB_MASQUERADED) && + (fw_res==FW_MASQUERADE || rt->rt_flags&RTCF_MASQ)) {*/ + if (fw_res==FW_MASQUERADE || + (!(IPCB(skb)->flags&IPSKB_MASQUERADED) && rt->rt_flags&RTCF_MASQ)) { u32 maddr = 0; #ifdef CONFIG_IP_ROUTE_NAT -------------------------------------------------- If you can help me it would great. Chris Stafidas _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
