In article <[EMAIL PROTECTED]>,
Keith Owens <[EMAIL PROTECTED]> wrote:
>If both IPv6 and masq are active, incoming v6-in-v4 packets are
>discarded by masq. Quick and dirty workaround against 2.1.131, by no
>means the full fix for masq and tunnels.
>
>Index: linux/net/ipv4/ip_masq.c
>--- linux/net/ipv4/ip_masq.c Sun, 29 Nov 1998 22:22:10 +1100 keith
>(linux-2.1/C/40_ip_masq.c 1.1.1.7 644)
>+++ linux/net/ipv4/ip_masq.c Tue, 22 Dec 1998 03:01:29 +1100 keith
>(linux-2.1/C/40_ip_masq.c 1.1.1.7 644)
>@@ -993,6 +993,10 @@
> }
>
> break;
>+ case IPPROTO_IPV6:
>+ if (size >= sizeof(struct ipv6hdr))
>+ ret = sizeof(struct ipv6hdr);
>+ break;
> }
> if (ret < 0)
> IP_MASQ_DEBUG(0, "mess proto_doff for proto=%d, size =%d\n",
Similiar problems exist with tunnels and masquerading. In some cases incoming
tunnel packets can end up being checked by ip_fw_demasquerade() which will
fail causing the packet to be dropped.
The following works but it would be more appropriate to change the code so
that ip_fw_demasquerade() only attempts to demasquerade a specific
set of protocols: IPPROTO_ICMP, IPPROTO_UDP, IPPROTO_TCP and IPPROTO_IPV6 etc.
--- ip_masq.c.save Mon Dec 21 10:47:21 1998
+++ ip_masq.c Mon Dec 21 10:56:24 1998
@@ -1776,7 +1776,11 @@
size = ntohs(iph->tot_len) - (iph->ihl * 4);
doff = proto_doff(iph->protocol, h.raw, size);
- if (doff < 0) {
+ /* added check for tunnels,
+ * Wouldn't it be better to only do demasquerading if protocol is
+ * IPPROTO_ICMP, IPPROTO_UDP, IPPROTO_TCP?
+ */
+ if (iph->protocol != IPPROTO_IPIP && iph->protocol != IPPROTO_GRE && doff <
+0) {
IP_MASQ_DEBUG(0, "I-pkt invalid packet data size\n");
return -1;
}
--
Stuart Lynne <[EMAIL PROTECTED]> 604-461-7532 <http://edge.fireplug.net>
PGP Fingerprint: 28 E2 A0 15 99 62 9A 00 88 EC A3 EE 2D 1C 15 68
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
