ipfwadm delivered with all major Linux distributions doesn't know some new kernel features (included into latest releases). One of them is ICMP Masquerading. ipfwadm couldn't handle ICMP lines in /proc/net/ip_masquerade therefore it brought "unexpected input data" error not showing other records (that is TCP and UDP). Therefore if someone want's that his connections were not seen by `ipfwadm -Ml` can just ping one host and at the same time do what he wants. Of course the operator can look into /proc/net directory, but it's difficult to read ip addresses written in hex numbers... I've written a small fix to solve this problem - I've just added ICMP Masquerading support to ipfwadm. Here it is (you can get ipfwadm distribution from ftp.xos.nl/pub/linux/ipfwadm): --- ipfwadm.c.orig Tue Jul 30 14:54:22 1996 +++ ipfwadm.c Sat Nov 28 16:20:53 1998 @@ -1134,6 +1134,9 @@ else if (kind == IP_FW_F_UDP && (service = getservbyport(htons(port), "udp")) != NULL) return service->s_name; + else if (kind == IP_FW_F_ICMP && + (service = getservbyport(htons(port), "icmp")) != NULL) + return service->s_name; else return (char *) NULL; } @@ -1571,6 +1574,9 @@ case IP_FW_F_UDP: fprintf(fp, "%-5s", "udp"); break; + case IP_FW_F_ICMP: + fprintf(fp, "%-5s", "icmp"); + break; } sec100s = ms->expires % HZ; @@ -1668,9 +1674,10 @@ ms->kind = IP_FW_F_TCP; else if (strcmp("UDP", buf) == 0) ms->kind = IP_FW_F_UDP; + else if (strcmp("ICMP", buf) == 0) + ms->kind = IP_FW_F_ICMP; else exit_error(1, "unexpected input data"); - /* we always keep these addresses in network byte order */ ms->src.s_addr = (__u32) htonl(temp[0]); ms->dst.s_addr = (__u32) htonl(temp[1]); -- Domas Mituzas School of New Communications. Linux department. Now I'm pregnant... X-Ray proves - it's a penguin again!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:20 PDT