mssclamp in 4.1
This is a discussion on mssclamp in 4.1 within the IPFilter forums, part of the System Security and Security Related category; Well one thing is for sure, mssclamp'ing never got tested (just not something I use or...) so it was ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-15-2004
|
|||
|
|||
mssclamp in 4.1
Well one thing is for sure, mssclamp'ing never got tested (just not something I use or...) so it was never noticed that it was not working. Anyhow, all of the problems you encountered should be fixed with all of the patches below (which include the one I sent to you before.) Darren Index: ip_nat.c ================================================== ================= RCS file: /devel/CVS/IP-Filter/ip_nat.c,v retrieving revision 2.195 diff -c -r2.195 ip_nat.c *** ip_nat.c 2004/02/11 15:11:38 2.195 --- ip_nat.c 2004/02/15 15:28:16 *************** *** 4576,4585 **** case TCPOPT_MAXSEG: if (advance != 4) break; ! mss = cp[0] * 256 + cp[1]; if (mss > maxmss) { ! cp[0] = maxmss / 256; ! cp[1] = maxmss & 0xff; CALC_SUMD(mss, maxmss, sumd); fix_outcksum(fin, csump, sumd); } --- 4576,4585 ---- case TCPOPT_MAXSEG: if (advance != 4) break; ! mss = cp[2] * 256 + cp[3]; if (mss > maxmss) { ! cp[2] = maxmss / 256; ! cp[3] = maxmss & 0xff; CALC_SUMD(mss, maxmss, sumd); fix_outcksum(fin, csump, sumd); } Index: lib/printnat.c ================================================== ================= RCS file: /devel/CVS/IP-Filter/lib/printnat.c,v retrieving revision 1.22 diff -c -r1.22 printnat.c *** printnat.c 2004/01/17 17:30:43 1.22 --- printnat.c 2004/02/15 14:55:04 *************** *** 200,205 **** --- 200,209 ---- if (np->in_age[0] != 0 || np->in_age[1] != 0) { printf(" age %d/%d", np->in_age[0], np->in_age[1]); } + if (np->in_mssclamp != 0) + printf(" mssclamp %d", np->in_mssclamp); + if (np->in_tag.ipt_tag[0] != '\0') + printf(" tag %s", np->in_tag.ipt_tag); printf("\n"); if (opts & OPT_DEBUG) { struct in_addr nip; Index: test/expected/in1 ================================================== ================= RCS file: /devel/CVS/IP-Filter/test/expected/in1,v retrieving revision 2.4 diff -c -r2.4 in1 *** in1 2003/08/14 14:23:37 2.4 --- in1 2004/02/15 14:55:15 *************** *** 23,25 **** --- 23,26 ---- map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 frag age 30/30 map fxp0 from 192.168.0.0/18 to any port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tcp + map thisisalonginterthisisalonginter 0.0.0.0/0 -> 0.0.0.0/32 mssclamp 1452 tag freddyliveshere Index: test/expected/n10 ================================================== ================= RCS file: n10 diff -N n10 *** /dev/null Thu Feb 12 02:15:47 2004 --- n10 Mon Feb 16 02:28:43 2004 *************** *** 0 **** --- 1,6 ---- + 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 655d 0000 0204 0064 + ------------------------------- + 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 61d9 0000 0204 03e8 + ------------------------------- + 4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 600d 0000 0204 05b4 + ------------------------------- Index: test/input/n10 ================================================== ================= RCS file: n10 diff -N n10 *** /dev/null Thu Feb 12 02:15:47 2004 --- n10 Mon Feb 16 02:28:43 2004 *************** *** 0 **** --- 1,6 ---- + # TCP SYN packet with an MSS option + [out,ppp0] + 4500 002c 10c9 4000 ff06 3289 c0a8 0103 + 96cb e002 8032 0015 bd6b c9c8 0000 0000 + 6002 2238 35f9 0000 0204 05b4 + Index: test/regress/in1 ================================================== ================= RCS file: /devel/CVS/IP-Filter/test/regress/in1,v retrieving revision 2.2 diff -c -r2.2 in1 *** in1 2003/01/21 16:04:20 2.2 --- in1 2004/02/15 14:55:22 *************** *** 23,25 **** --- 23,26 ---- map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20 map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 frag age 30 map fxp0 from 192.168.0.0/18 to 0/0 port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tcp + map thisisalonginterfacenametotest0123 0/0 -> 0/32 mssclamp 1452 tag freddyliveshere Index: test/regress/n10 ================================================== ================= RCS file: n10 diff -N n10 *** /dev/null Thu Feb 12 02:15:47 2004 --- n10 Mon Feb 16 02:28:44 2004 *************** *** 0 **** --- 1,3 ---- + map ppp0 0/0 -> 203.203.203.203/32 mssclamp 100 + map ppp0 0/0 -> 203.203.203.203/32 mssclamp 1000 + map ppp0 0/0 -> 203.203.203.203/32 mssclamp 10000 Index: tools/ipnat_y.y ================================================== ================= RCS file: /devel/CVS/IP-Filter/tools/ipnat_y.y,v retrieving revision 1.30 diff -c -r1.30 ipnat_y.y *** ipnat_y.y 2004/02/07 17:17:31 1.30 --- ipnat_y.y 2004/02/15 14:55:08 *************** *** 535,540 **** --- 535,541 ---- { "mask", IPNY_MASK }, { "map", IPNY_MAP }, { "map-block", IPNY_MAPBLOCK }, + { "mssclamp", IPNY_MSSCLAMP }, { "port", IPNY_PORT }, { "portmap", IPNY_PORTMAP }, { "ports", IPNY_PORTS }, 
|
Linear Mode
