Date: Wed, 18 Jul 2001 15:41:38 +0300 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Ari Suutari <ari@suutari.iki.fi>, plk@in.nextra.sk, freebsd-net@FreeBSD.ORG Subject: Re: natd and ICMP 3.4 packets Message-ID: <20010718154138.B50252@sunbay.com> In-Reply-To: <20010713164803.A87098@sunbay.com>; from ru@FreeBSD.ORG on Fri, Jul 13, 2001 at 04:48:03PM %2B0300 References: <20010710110934.D1048@in.nextra.sk> <20010712124152.A80584@sunbay.com> <20010713120211.B4366@in.nextra.sk> <017d01c10b87$b573a4f0$0e05a8c0@coffee> <20010713135855.A65898@sunbay.com> <01f101c10b9e$41482530$0e05a8c0@coffee> <20010713164803.A87098@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--s2ZSL+KKDSLx8OML Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jul 13, 2001 at 04:48:03PM +0300, Ruslan Ermilov wrote: > On Fri, Jul 13, 2001 at 04:18:05PM +0300, Ari Suutari wrote: > > > > > > > > Doesn't sound good that IP header with private IP address > > > > gets sent to internet. - after all, the 195.168.3.210 host on internet > > knows > > > > nothing about 10.10.1.2... > > > > > > > We have discussed this before with Brian and Charles, and have come > > > up to an agreement that FIREWALL should block these packets, not NAT. > > > > > > > There must be something I don't understand now ? How is the host > > on the internet now going to know that smaller MTU is required when > > it sends packets to host inside nat'ed network ? > > > Give me a few days guys, OK? I will come up with a solution. > OK, as was promised... Please try the attached patch. You'll have to recompile/install both libalias and natd. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --s2ZSL+KKDSLx8OML Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: alias.c =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias.c,v retrieving revision 1.29 diff -u -p -r1.29 alias.c --- alias.c 2001/06/04 15:09:51 1.29 +++ alias.c 2001/07/18 12:37:25 @@ -518,6 +518,10 @@ IcmpAliasOut2(struct ip *pip) struct udphdr *ud; struct tcphdr *tc; struct alias_link *link; + u_short *sptr; + int accumulate; + struct in_addr alias_address; + u_short alias_port, alias_id; ic = (struct icmp *) ((char *) pip + (pip->ip_hl << 2)); ip = &ic->icmp_ip; @@ -546,11 +550,6 @@ IcmpAliasOut2(struct ip *pip) { if (ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_TCP) { - u_short *sptr; - int accumulate; - struct in_addr alias_address; - u_short alias_port; - alias_address = GetAliasAddress(link); alias_port = GetAliasPort(link); @@ -565,18 +564,6 @@ IcmpAliasOut2(struct ip *pip) accumulate -= alias_port; ADJUST_CHECKSUM(accumulate, ic->icmp_cksum); -/* - * Alias address in IP header if it comes from the host - * the original TCP/UDP packet was destined for. - */ - if (pip->ip_src.s_addr == ip->ip_dst.s_addr) { - DifferentialChecksum(&pip->ip_sum, - (u_short *) &alias_address, - (u_short *) &pip->ip_src, - 2); - pip->ip_src = alias_address; - } - /* Alias address and port number of original IP packet fragment contained in ICMP data section */ ip->ip_dst = alias_address; @@ -584,11 +571,6 @@ fragment contained in ICMP data section } else if (ip->ip_p == IPPROTO_ICMP) { - u_short *sptr; - int accumulate; - struct in_addr alias_address; - u_short alias_id; - alias_address = GetAliasAddress(link); alias_id = GetAliasPort(link); @@ -603,23 +585,25 @@ fragment contained in ICMP data section accumulate -= alias_id; ADJUST_CHECKSUM(accumulate, ic->icmp_cksum); -/* - * Alias address in IP header if it comes from the host - * the original ICMP message was destined for. - */ - if (pip->ip_src.s_addr == ip->ip_dst.s_addr) { - DifferentialChecksum(&pip->ip_sum, - (u_short *) &alias_address, - (u_short *) &pip->ip_src, - 2); - pip->ip_src = alias_address; - } - /* Alias address of original IP packet and sequence number of embedded ICMP datagram */ ip->ip_dst = alias_address; ic2->icmp_id = alias_id; } + +/* + * Alias address in IP header. + * If the message is from an intermediate router, + * make it look as if it comes from the NAT box. + */ + if (pip->ip_src.s_addr != ip->ip_dst.s_addr) + alias_address = FindAliasAddress(pip->ip_src); + DifferentialChecksum(&pip->ip_sum, + (u_short *) &alias_address, + (u_short *) &pip->ip_src, + 2); + pip->ip_src = alias_address; + return(PKT_ALIAS_OK); } return(PKT_ALIAS_IGNORED); --s2ZSL+KKDSLx8OML-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010718154138.B50252>