Ok, fixed mtr with this one.
Darren
Index: fil.c
===================================================================
RCS file: /devel/CVS/IP-Filter/fil.c,v
retrieving revision 2.243.2.2
diff -c -r2.243.2.2 fil.c
*** fil.c 2004/03/09 14:45:36 2.243.2.2
--- fil.c 2004/03/13 17:26:37
***************
*** 839,844 ****
--- 839,847 ----
default :
break;
}
+
+ if (fin->fin_dlen >= 6) /* ID field */
+ fin->fin_data[1] = icmp->icmp_id;
}
frpr_short(fin, minicmpsz);
***************
*** 2664,2669 ****
--- 2667,2673 ----
case IPPROTO_ICMP :
csump = &((icmphdr_t *)l4hdr)->icmp_cksum;
l4hlen = 4;
+ sum = 0;
break;
default :
break;
***************
*** 3774,3781 ****
(rev && (icmpreplytype4[ictype] == icmp->icmp_type))) {
if (icmp->icmp_type != ICMP_ECHOREPLY)
return 1;
! if ((icmp->icmp_id == ic->ici_id) &&
! (icmp->icmp_seq == ic->ici_seq))
return 1;
}
}
--- 3778,3784 ----
(rev && (icmpreplytype4[ictype] == icmp->icmp_type))) {
if (icmp->icmp_type != ICMP_ECHOREPLY)
return 1;
! if (icmp->icmp_id == ic->ici_id)
return 1;
}
}
***************
*** 3785,3792 ****
(rev && (icmpreplytype6[ictype] == icmp->icmp_type))) {
if (icmp->icmp_type != ICMP6_ECHO_REPLY)
return 1;
! if ((icmp->icmp_id == ic->ici_id) &&
! (icmp->icmp_seq == ic->ici_seq))
return 1;
}
}
--- 3788,3794 ----
(rev && (icmpreplytype6[ictype] == icmp->icmp_type))) {
if (icmp->icmp_type != ICMP6_ECHO_REPLY)
return 1;
! if (icmp->icmp_id == ic->ici_id)
return 1;
}
}
Index: ip_nat.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_nat.c,v
retrieving revision 2.195.2.2
diff -c -r2.195.2.2 ip_nat.c
*** ip_nat.c 2004/03/13 12:07:44 2.195.2.2
--- ip_nat.c 2004/03/13 17:26:14
***************
*** 1855,1860 ****
--- 1855,1862 ----
((tcphdr_t *)fin->fin_dp)->th_sport = port;
} if (flags & IPN_ICMPQUERY) {
((icmphdr_t *)fin->fin_dp)->icmp_id = port;
+ nat->nat_inport = port;
+ nat->nat_outport = port;
}
ni->nai_ip.s_addr = htonl(in.s_addr);
ni->nai_port = port;
***************
*** 2400,2405 ****
--- 2402,2409 ----
int flags = 0, type, minlen;
icmphdr_t *icmp, *orgicmp;
tcphdr_t *tcp = NULL;
+ u_short data[2];
+ nat_t *nat;
ip_t *oip;
u_int p;
***************
*** 2454,2459 ****
--- 2458,2464 ----
# endif
}
#endif
+
p = oip->ip_p;
if (p == IPPROTO_TCP)
flags = IPN_TCP;
***************
*** 2464,2488 ****
/* see if this is related to an ICMP query */
if (nat_icmpquerytype4(orgicmp->icmp_type)) {
! flags = IPN_ICMPQUERY;
/*
* NOTE : dir refers to the direction of the original
* ip packet. By definition the icmp error
* message flows in the opposite direction.
*/
if (dir == NAT_INBOUND)
! return nat_inlookup(fin, flags, p, oip->ip_dst,
! oip->ip_src);
else
! return nat_outlookup(fin, flags, p, oip->ip_dst,
! oip->ip_src);
}
}
if (flags & IPN_TCPUDP) {
- u_short data[2];
- nat_t *nat;
-
minlen += 8; /* + 64bits of data to get ports */
if (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen)
return NULL;
--- 2469,2498 ----
/* see if this is related to an ICMP query */
if (nat_icmpquerytype4(orgicmp->icmp_type)) {
! data[0] = fin->fin_data[0];
! data[1] = fin->fin_data[1];
! fin->fin_data[0] = 0;
! fin->fin_data[1] = orgicmp->icmp_id;
!
! flags = IPN_ICMPERR|IPN_ICMPQUERY;
/*
* NOTE : dir refers to the direction of the original
* ip packet. By definition the icmp error
* message flows in the opposite direction.
*/
if (dir == NAT_INBOUND)
! nat = nat_inlookup(fin, flags, p, oip->ip_dst,
! oip->ip_src);
else
! nat = nat_outlookup(fin, flags, p, oip->ip_dst,
! oip->ip_src);
! fin->fin_data[0] = data[0];
! fin->fin_data[1] = data[1];
! return nat;
}
}
if (flags & IPN_TCPUDP) {
minlen += 8; /* + 64bits of data to get ports */
if (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen)
return NULL;
***************
*** 2958,2974 ****
ifp = fin->fin_ifp;
else
ifp = NULL;
dst = mapdst.s_addr;
sflags = flags & NAT_TCPUDPICMP;
! if ((flags & IPN_TCPUDP) != 0) {
sport = htons(fin->fin_data[0]);
dport = htons(fin->fin_data[1]);
! gre = NULL;
! } else {
! gre = (p == IPPROTO_GRE) ? fin->fin_dp : NULL;
! sport = 0;
! dport = 0;
}
if ((flags & SI_WILDP) != 0)
goto find_in_wild_ports;
--- 2968,3000 ----
ifp = fin->fin_ifp;
else
ifp = NULL;
+ sport = 0;
+ dport = 0;
+ gre = NULL;
dst = mapdst.s_addr;
sflags = flags & NAT_TCPUDPICMP;
!
! switch (p)
! {
! case IPPROTO_TCP :
! case IPPROTO_UDP :
sport = htons(fin->fin_data[0]);
dport = htons(fin->fin_data[1]);
! break;
! case IPPROTO_ICMP :
! if (flags & IPN_ICMPERR)
! sport = fin->fin_data[1];
! else
! dport = fin->fin_data[1];
! break;
! case IPPROTO_GRE :
! gre = fin->fin_dp;
! break;
! default :
! break;
}
+
+
if ((flags & SI_WILDP) != 0)
goto find_in_wild_ports;
***************
*** 2990,2996 ****
if (nat->nat_oip.s_addr == src.s_addr &&
nat->nat_outip.s_addr == dst &&
! (((p == 0) && (sflags == (nat->nat_flags & IPN_TCPUDPICMP)))
|| (p == nat->nat_p))) {
switch (p)
{
--- 3016,3023 ----
if (nat->nat_oip.s_addr == src.s_addr &&
nat->nat_outip.s_addr == dst &&
! (((p == 0) &&
! (sflags == (nat->nat_flags & IPN_TCPUDPICMP)))
|| (p == nat->nat_p))) {
switch (p)
{
***************
*** 2998,3003 ****
--- 3025,3039 ----
if (gre->gr_call != nat->nat_gre.gs_call)
continue;
break;
+ case IPPROTO_ICMP :
+ if ((flags & IPN_ICMPERR) != 0) {
+ if (nat->nat_outport != sport)
+ continue;
+ } else {
+ if (nat->nat_outport != dport)
+ continue;
+ }
+ break;
case IPPROTO_TCP :
case IPPROTO_UDP :
if (nat->nat_oport != sport)
***************
*** 3187,3199 ****
ifp = fin->fin_ifp;
srcip = src.s_addr;
sflags = flags & IPN_TCPUDPICMP;
! if ((flags & IPN_TCPUDP) != 0) {
! sport = ntohs(fin->fin_data[0]);
! dport = ntohs(fin->fin_data[1]);
! } else {
! sport = 0;
! dport = 0;
}
if ((flags & SI_WILDP) != 0)
goto find_out_wild_ports;
--- 3223,3248 ----
ifp = fin->fin_ifp;
srcip = src.s_addr;
sflags = flags & IPN_TCPUDPICMP;
! sport = 0;
! dport = 0;
!
! switch (p)
! {
! case IPPROTO_TCP :
! case IPPROTO_UDP :
! sport = htons(fin->fin_data[0]);
! dport = htons(fin->fin_data[1]);
! break;
! case IPPROTO_ICMP :
! if (flags & IPN_ICMPERR)
! sport = fin->fin_data[1];
! else
! dport = fin->fin_data[1];
! break;
! default :
! break;
}
+
if ((flags & SI_WILDP) != 0)
goto find_out_wild_ports;
Index: ip_state.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_state.c,v
retrieving revision 2.186
diff -c -r2.186 ip_state.c
*** ip_state.c 2004/02/10 12:12:20 2.186
--- ip_state.c 2004/03/13 17:27:45
***************
*** 828,834 ****
case ICMP6_ECHO_REQUEST :
is->is_icmp.ici_type = ic->icmp_type;
hv += (is->is_icmp.ici_id = ic->icmp_id);
- hv += (is->is_icmp.ici_seq = ic->icmp_seq);
break;
case ICMP6_MEMBERSHIP_QUERY :
case ND_ROUTER_SOLICIT :
--- 828,833 ----
***************
*** 853,859 ****
case ICMP_MASKREQ :
is->is_icmp.ici_type = ic->icmp_type;
hv += (is->is_icmp.ici_id = ic->icmp_id);
- hv += (is->is_icmp.ici_seq = ic->icmp_seq);
break;
default :
return NULL;
--- 852,857 ----
***************
*** 1856,1865 ****
* XXX theoretically ICMP_ECHOREP and the other reply's are
* ICMP query's as well, but adding them here seems strange XXX
*/
! if ((icmp->icmp_type != ICMP_ECHO) &&
! (icmp->icmp_type != ICMP_TSTAMP) &&
! (icmp->icmp_type != ICMP_IREQ) &&
! (icmp->icmp_type != ICMP_MASKREQ))
return NULL;
/*
--- 1854,1863 ----
* XXX theoretically ICMP_ECHOREP and the other reply's are
* ICMP query's as well, but adding them here seems strange XXX
*/
! if ((icmp->icmp_type != ICMP_ECHO) &&
! (icmp->icmp_type != ICMP_TSTAMP) &&
! (icmp->icmp_type != ICMP_IREQ) &&
! (icmp->icmp_type != ICMP_MASKREQ))
return NULL;
/*
***************
*** 1871,1877 ****
dst.in4 = oip->ip_dst;
hv += dst.in4.s_addr;
hv += icmp->icmp_id;
- hv += icmp->icmp_seq;
hv = DOUBLE_HASH(hv);
READ_ENTER(&ipf_state);
--- 1869,1874 ----
***************
*** 1882,1890 ****
if (is->is_pass & FR_NOICMPERR)
continue;
is = fr_matchsrcdst(&ofin, is, &src, &dst, NULL);
! if (is != NULL &&
! fr_matchicmpqueryreply(is->is_v, &is->is_icmp,
! icmp, fin->fin_rev)) {
if ((is->is_pass & FR_NOICMPERR) != 0) {
RWLOCK_EXIT(&ipf_state);
return NULL;
--- 1879,1885 ----
if (is->is_pass & FR_NOICMPERR)
continue;
is = fr_matchsrcdst(&ofin, is, &src, &dst, NULL);
! if (is != NULL) {
if ((is->is_pass & FR_NOICMPERR) != 0) {
RWLOCK_EXIT(&ipf_state);
return NULL;
***************
*** 2070,2076 ****
if ((ic->icmp_type == ICMP6_ECHO_REQUEST) ||
(ic->icmp_type == ICMP6_ECHO_REPLY)) {
hv += ic->icmp_id;
- hv += ic->icmp_seq;
}
}
READ_ENTER(&ipf_state);
--- 2065,2070 ----
***************
*** 2131,2137 ****
case IPPROTO_ICMP :
if (v == 4) {
hv += ic->icmp_id;
- hv += ic->icmp_seq;
}
hv = DOUBLE_HASH(hv);
READ_ENTER(&ipf_state);
--- 2125,2130 ----
