Hello,
I think some -DIPFILTER_CKSUM are missing in Makefiles, the checksum
validation is not disable when -DIPFILTER_CKSUM is defined in the main
Makefile.
ALLOPTS=-DIPFILTER_LOG -DIPFILTER_LOOKUP \
-DIPFILTER_SCAN -DIPFILTER_SYNC -DIPFILTER_CKSUM
Just to check it, we can add an invalid line "TEST DON_T_RUN_THIS_CODE"
in the proxy code.
/*
* Check to see if a packet should be passed through an active proxy routine
* if one has been setup for it. We don't need to check the checksum here if
* IPFILTER_CKSUM is defined because if it is, a failed check causes FI_BAD
* to be set.
*/
int appr_check(fin, nat)
.....
#ifndef IPFILTER_CKSUM
TEST DON_T_RUN_THIS_CODE
if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) {
if (ipf_proxy_debug > 0)
printf("appr_check: l4 checksum failure %d\n",
fin->fin_p);
if (fin->fin_p == IPPROTO_TCP)
frstats[fin->fin_out].fr_tcpbad++;
return -1;
}
#endif
make freebsd6
../../ip_proxy.c: In function `appr_check':
../../ip_proxy.c:483: error: syntax error before "DON_T_RUN_THIS_CODE"
How to fix it : for freebsd, patch the BSD/Makefile
275c275
< $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@
---
> $(CC) $(KCARGS) $(EXTRA) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@
286c286
< $(CC) $(KCARGS) $(DFLAGS) $(COMPIPF) -c ip_fil.c -o $@
---
> $(CC) $(KCARGS) $(EXTRA) $(DFLAGS) $(COMPIPF) -c ip_fil.c -o $@
--
David Gueluy
[EMAIL PROTECTED]
