On Fri, Jul 13, 2001 at 04:48:03PM +0300, Ruslan Ermilov wrote:
> On Fri, Jul 13, 2001 at 04:18:05PM +0300, Ari Suutari wrote:
> > > >
> > > > Doesn't sound good that IP header with private IP address
> > > > gets sent to internet. - after all, the 195.168.3.210 host on internet
> > knows
> > > > nothing about 10.10.1.2...
> > > >
> > > We have discussed this before with Brian and Charles, and have come
> > > up to an agreement that FIREWALL should block these packets, not NAT.
> > >
> >
> > There must be something I don't understand now ? How is the host
> > on the internet now going to know that smaller MTU is required when
> > it sends packets to host inside nat'ed network ?
> >
> Give me a few days guys, OK? I will come up with a solution.
>
OK, as was promised... Please try the attached patch.
You'll have to recompile/install both libalias and natd.
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
[EMAIL PROTECTED] Sunbay Software AG,
[EMAIL PROTECTED] FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
Index: alias.c
===================================================================
RCS file: /home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.29
diff -u -p -r1.29 alias.c
--- alias.c 2001/06/04 15:09:51 1.29
+++ alias.c 2001/07/18 12:37:25
@@ -518,6 +518,10 @@ IcmpAliasOut2(struct ip *pip)
struct udphdr *ud;
struct tcphdr *tc;
struct alias_link *link;
+ u_short *sptr;
+ int accumulate;
+ struct in_addr alias_address;
+ u_short alias_port, alias_id;
ic = (struct icmp *) ((char *) pip + (pip->ip_hl << 2));
ip = &ic->icmp_ip;
@@ -546,11 +550,6 @@ IcmpAliasOut2(struct ip *pip)
{
if (ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_TCP)
{
- u_short *sptr;
- int accumulate;
- struct in_addr alias_address;
- u_short alias_port;
-
alias_address = GetAliasAddress(link);
alias_port = GetAliasPort(link);
@@ -565,18 +564,6 @@ IcmpAliasOut2(struct ip *pip)
accumulate -= alias_port;
ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
-/*
- * Alias address in IP header if it comes from the host
- * the original TCP/UDP packet was destined for.
- */
- if (pip->ip_src.s_addr == ip->ip_dst.s_addr) {
- DifferentialChecksum(&pip->ip_sum,
- (u_short *) &alias_address,
- (u_short *) &pip->ip_src,
- 2);
- pip->ip_src = alias_address;
- }
-
/* Alias address and port number of original IP packet
fragment contained in ICMP data section */
ip->ip_dst = alias_address;
@@ -584,11 +571,6 @@ fragment contained in ICMP data section
}
else if (ip->ip_p == IPPROTO_ICMP)
{
- u_short *sptr;
- int accumulate;
- struct in_addr alias_address;
- u_short alias_id;
-
alias_address = GetAliasAddress(link);
alias_id = GetAliasPort(link);
@@ -603,23 +585,25 @@ fragment contained in ICMP data section
accumulate -= alias_id;
ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
-/*
- * Alias address in IP header if it comes from the host
- * the original ICMP message was destined for.
- */
- if (pip->ip_src.s_addr == ip->ip_dst.s_addr) {
- DifferentialChecksum(&pip->ip_sum,
- (u_short *) &alias_address,
- (u_short *) &pip->ip_src,
- 2);
- pip->ip_src = alias_address;
- }
-
/* Alias address of original IP packet and sequence number of
embedded ICMP datagram */
ip->ip_dst = alias_address;
ic2->icmp_id = alias_id;
}
+
+/*
+ * Alias address in IP header.
+ * If the message is from an intermediate router,
+ * make it look as if it comes from the NAT box.
+ */
+ if (pip->ip_src.s_addr != ip->ip_dst.s_addr)
+ alias_address = FindAliasAddress(pip->ip_src);
+ DifferentialChecksum(&pip->ip_sum,
+ (u_short *) &alias_address,
+ (u_short *) &pip->ip_src,
+ 2);
+ pip->ip_src = alias_address;
+
return(PKT_ALIAS_OK);
}
return(PKT_ALIAS_IGNORED);
