Oops! Masq patch: sorry for huge message (bounced) and wrong files

Rolf Braun (masq@ns1.helixsystems.com)
Sun, 5 Sep 1999 01:03:57 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Julian Anastasov: "Re: [Masq-dev] Oops! Masq patch: sorry for huge message (bounced)"
Previous message: Rolf Braun: "[PATCH] new 2-dir masq patch, and passive FTP mode, with TCP options"

I sent a message containing a new masquerading patch to these lists, and
it was way too large at least for linux-kernel. I'm sending this message
to clarify. The necessary files are at http://mail.helixsystems.com/~masq/

Also, in case you got the original message, the mbfw.c and ip_masq_mbfw.c
files were an old version. Don't use them. Use the ones from the web site.

original text follows (more or less)

--- The following patch is a new version of the 2-dir masq patch I submitted to the kernel list about two months ago. It works very differently this time: packets coming in on 2-dir connections are marked with an skb flag, which is interpreted in the forward chain to force masquerading of that packet, with a second entry created for the other masq direction, also with the 2-dir flag set. Everything is defined out so that it can be a kernel compile option.

The other patch is to ip_masq_app (the app support) and allows modules to key into the system by source port rather than dest port, so it works for servers behind a firewall being accessed from outside. This is also controlled by a #define. The FTP module has code to support masqing of passive FTP.

While I was at it, I fixed a serious problem in the FTP module wherein it assumes the TCP data begins after the TCP header with no options in between. The following is a Bad Thing:

data = (char *)&th[1];

this is the Right Thing:

data = (char *)th; data += th->doff*4;

...assuming that proper bounds checking is also being performed which it is here. This fix is not #defined; it is included regardless of the options set. The problem affected the passive FTP specifically, but it is a bug no matter which way it is sliced.

There's one bug in this patch - the tcp/udp checksum code in masq is conditioned out if the 2-dir option is enabled, because it wasn't working the second time through. This is a bug somewhere, but I need someone to explain to me exactly what it's doing and what all the checksum-related fields in the skb are... thanks.

Oh yes: this _has_ been tested under pretty heavy load. :-)

Any chance of seeing this in 2.2.1[34]? (btw: my employer waives all rights to this code. it's yours.)

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Julian Anastasov: "Re: [Masq-dev] Oops! Masq patch: sorry for huge message (bounced)"
Previous message: Rolf Braun: "[PATCH] new 2-dir masq patch, and passive FTP mode, with TCP options"