The following is from an email sent to me from the tech support dept at
Kali. It describes how to change (fix?) IP Masqerading in such a way so
that the Kali multi-user gaming system works properly through IP Masq.
I'm going to hack my kernel to try this out, but does this sound like a
reasonable change to the kernel? Will it fix problems with other UDP
based software?
... They try to process UDP and TCP
exactly the same. They can't; UDP is different. When looking for an
already established masq for UDP you only need to check for matching saddr
and sport (source address and source port). They check for daddr and dport
(destination) as well. This will not work properly for UDP.
I can "hack" the current code to do this, but it might be better to ask
one of the people who maintain that source code to fix it officially. The
fix would be to simply check the protocol first. If it's TCP just keep
doing everything the same. For UDP, only check to see if the source is the
same. Actually, some of this code already exits, but was only partially
added (only checks on incoming packets, not outgoing, and only ignores the
address, not the port).
In ip_masq.c there is a function called ip_masq_out_get_2(). Just change
this function to the following (looks much like the ip_masq_in_get_2()
function now):
ip_masq_out_get_2(int protocol, __u32 s_addr, __u16 s_port, __u32 d_addr,
__u16 d_port)
{
unsigned hash;
struct ip_masq *ms;
hash = ip_masq_hash_key(protocol, s_addr, s_port);
for(ms = ip_masq_s_tab[hash]; ms ; ms = ms->s_link) {
if (protocol == ms->protocol &&
s_addr == ms->saddr && s_port == ms->sport &&
(d_addr == ms->daddr || ms->flags & IP_MASQ_F_NO_DADDR) &&
(d_port == ms->dport || ms->flags & IP_MASQ_F_NO_DPORT) ) {
return ms;
}
}
return NULL;
}
-----
Also change ip_masq_new() where it currently reads:
if (proto == IPPROTO_UDP)
ms->flags |= IP_MASQ_F_NO_DADDR;
Change that to this:
if (proto == IPPROTO_UDP) {
ms->flags |= IP_MASQ_F_NO_DADDR;
ms->flags |= IP_MASQ_F_NO_DPORT;
}
Recompile the kernel and it should work. I would really like to find the
person that maintains this source code though and see if he sees any
problems with these changes. If you try this and it works that would help
convince them to change it officially.
My only concern is that this code would affect something else. I read as
much of the source code as possible and didn't find any other code that
would care about this being set (especially as it's only for UDP). I've
made this same fix to other apps before and it's always worked (I know it
will work if the changes I made were done in the right place and don't
affect other functions).
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
