[PATCH] allow external ip in irc DCC's

[Martin Josefsson]

On Fri, 2002-04-05 at 13:55, Martin Josefsson wrote:

> > Well, why do we have to accept all IP addresses?  Why not just accept
> > the client's ip address and the IP address the control connection is 
> > SNAT'ed to?  This should solve the mIRC problem and still not cause
> > any security problem.
> > 
> > Or am I overlooking something?
> 
> No I don't think you are overlooking something, I'll change it today and
> send a new patch. Maybe we should make this the default behaviour
> instead of having another parameter?

Here's the new patch, I've tested it and it works fine, allows both
clients ip and external ip but barfs on other ip's as it should.
(changes two lines in ip_conntrack_irc.c)

I removed the extra parameter I added in the previous patch, this is now
supported unconditionally.

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat
you with experience.

diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch netfilter/userspace/patch-o-matic/extra/irc-natip.patch
--- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch	Thu Jan  1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch	Fri Apr  5 16:02:50 2002
@@ -0,0 +1,20 @@
+--- linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c.orig	Fri Apr  5 00:50:43 2002
++++ linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c	Fri Apr  5 15:54:20 2002
+@@ -183,7 +183,7 @@
+ 			DEBUGP("DCC bound ip/port: %u.%u.%u.%u:%u\n",
+ 				HIPQUAD(dcc_ip), dcc_port);
+ 
+-			if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip)) {
++			if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip) && ct->tuplehash[!dir].tuple.dst.ip != htonl(dcc_ip)) {
+ 				if (net_ratelimit())
+ 					printk(KERN_WARNING
+ 						"Forged DCC command from "
+@@ -209,7 +209,7 @@
+ 
+ 			exp->tuple = ((struct ip_conntrack_tuple)
+ 				{ { 0, { 0 } },
+-				  { htonl(dcc_ip), { htons(dcc_port) },
++				  { ct->tuplehash[dir].tuple.src.ip, { htons(dcc_port) },
+ 				    IPPROTO_TCP }});
+ 			exp->mask = ((struct ip_conntrack_tuple)
+ 				{ { 0, { 0 } },
diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help
--- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help	Thu Jan  1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help	Fri Apr  5 16:02:50 2002
@@ -0,0 +1,6 @@
+Author: Martin Josefsson <[EMAIL PROTECTED]>
+Status: Works for me
+
+This patch adds support for using the external ip in DCC requests.
+ip_conntrack_irc now supports two ip's, the ip of the client and
+the external ip after NAT.