Fix for icmp.c for firewalling rules that return PORT_UNREACH

Evan Harris (eharris@puremagic.com)
Wed, 15 Oct 1997 23:49:45 -0500 (CDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter T. Waltenberg: "2.1.x and ncpfs"

This is my stab at a quick and dirty fix for the kernel firewalling
problem I detailed last week.

Comments/suggestions are welcome. I hope this (or a cleaner version of
the same fix) gets rolled into the next versions of the stable and
development kernels.

---- Cut here ----
*** icmp.c.orig Wed Oct 15 23:40:03 1997
--- icmp.c Wed Oct 15 23:42:52 1997
***************
*** 603,609 ****

saddr=iph->daddr;
if(saddr!=dev->pa_addr && ip_chk_addr(saddr)!=IS_MYADDR)
! saddr=dev->pa_addr;
if(ip_options_echo(&icmp_param.replyopts, NULL, saddr, iph->saddr, skb_in))
return;

--- 603,613 ----

saddr=iph->daddr;
if(saddr!=dev->pa_addr && ip_chk_addr(saddr)!=IS_MYADDR)
! /* Modified by EJH to fake ICMP PORT_UNREACH responses for firewalling
! for the special case of DEST_UNREACH PORT_UNREACH, do not rewrite the saddr
! Probably not the best method, as there may be side effects, but quick and dirty */
! if ((type != ICMP_DEST_UNREACH) || (code != ICMP_PORT_UNREACH))
! saddr=dev->pa_addr;
if(ip_options_echo(&icmp_param.replyopts, NULL, saddr, iph->saddr, skb_in))
return;

---- Cut here ----

--
| Evan Harris - Consultant, Harris Enterprises - eharris@puremagic.com
|
| Custom Solutions for your Software, Networking, and Telephony Needs

Next message: Peter T. Waltenberg: "2.1.x and ncpfs"