[PATCH 2.4]: Fix wrong AH-header

[PATCH 2.4]: Fix wrong AH-header

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 205 bytes --]

I'm beginning to feel guilty for not warning you before bombing you with 
patches ..
sorry .. only this and one more.

This patch fixes spi-matching in ipt_ah like the 2.5 version.

Best regards,
Patrick


[-- Attachment #2: 24-ipt_ah-wrong-ahhdr.diff --]
[-- Type: text/plain, Size: 919 bytes --]

# This is a BitKeeper generated patch for the following project:
# Project Name: Linux kernel tree
# This patch format is intended for GNU patch command version 2.5 or higher.
# This patch includes the following deltas:
#	           ChangeSet	1.1020  -> 1.1021 
#	net/ipv4/netfilter/ipt_ah.c	1.2     -> 1.3    
#
# The following is the BitKeeper ChangeSet Log
# --------------------------------------------
# 03/07/21	kaber@trash.net	1.1021
# [NETFILTER]: Fix wrong AH-header
# --------------------------------------------
#
diff -Nru a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
--- a/net/ipv4/netfilter/ipt_ah.c	Mon Jul 21 02:20:52 2003
+++ b/net/ipv4/netfilter/ipt_ah.c	Mon Jul 21 02:20:52 2003
@@ -15,7 +15,11 @@
 #endif
 
 struct ahhdr {
+	__u8    nexthdr;
+	__u8    hdrlen;
+	__u16   reserved;
 	__u32   spi;
+	__u32   seq_no;
 };
 
 /* Returns 1 if the spi is matched by the range, 0 otherwise */

Re: [PATCH 2.4]: Fix wrong AH-header

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

On Mon, Jul 21, 2003 at 03:48:51AM +0200, Patrick McHardy wrote:
> I'm beginning to feel guilty for not warning you before bombing you with 
> patches ..

I'm perfectly fine with receving your patches, don't worry.  I'm just at
the linux kernel summit, and it might take some days until those are
getting integrated.

> Patrick

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

--reject-with admin-prohib not working

[Internet Protocol version Six]

Hello all,

like the subject says, it is not working for me, I applied the PoM patch to the kernel, compiled the kernel, even recompiled iptables and it still gives me "iptables v1.2.8: unknown reject type `admin-prohib'"

Is there some patch that needs to be applied to iptables itself? Because I can't find one

Any help is greatly appriciated
-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

Re: --reject-with admin-prohib not working

[Internet Protocol version Six]

[-- Attachment #1: Type: text/plain, Size: 787 bytes --]

I seem to have found the missing patch to iptables that is not in PoM
I've attached it, it is for iptables-1.2.8

> ----------------------------------------
> From: Internet Protocol version Six <inet6@mail.be>
> Sent: Sat Jul 26 00:15:22 GMT+02:00 2003
> To: <netfilter-devel@lists.netfilter.org>
> Subject: --reject-with admin-prohib not working
> 
> 
> Hello all,
> 
> like the subject says, it is not working for me, I applied the PoM patch to the kernel, compiled the kernel, even recompiled iptables and it still gives me "iptables v1.2.8: unknown reject type `admin-prohib'"
> 
> Is there some patch that needs to be applied to iptables itself? Because I can't find one

-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

[-- Attachment #2: File Attachment: iptables-1.2.8-admin-prohib.patch --]
[-- Type: text/plain, Size: 2855 bytes --]

diff -urN iptables-1.2.8/INCOMPATIBILITIES iptables-1.2.8+admin-prohib/INCOMPATIBILITIES
--- iptables-1.2.8/INCOMPATIBILITIES    Thu Jan  1 01:00:00 1970
+++ iptables-1.2.8+admin-prohib/INCOMPATIBILITIES       Sat Jul 26 04:02:28 2003
@@ -0,0 +1,6 @@
+INCOMPATIBILITIES:
+
+- The REJECT target has an '--reject-with admin-prohib' option which used
+  with kernels that do not support it, will result in a plain DROP instead
+  of REJECT.  Use with caution.
+  Kernels that do support it:
diff -urN iptables-1.2.8/extensions/libipt_REJECT.c iptables-1.2.8+admin-prohib/extensions/libipt_REJECT.c
--- iptables-1.2.8/extensions/libipt_REJECT.c   Wed May 29 15:08:16 2002
+++ iptables-1.2.8+admin-prohib/extensions/libipt_REJECT.c      Sat Jul 26 03:43:46 2003
@@ -9,6 +9,16 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <linux/version.h>
+
+/* If we are compiling against a kernel that does not support
+ * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it.
+ * The result will be a plain DROP of the packet instead of
+ * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ */
+#ifndef IPT_ICMP_ADMIN_PROHIBITED
+#define IPT_ICMP_ADMIN_PROHIBITED IPT_TCP_RESET + 1
+#endif

 struct reject_names {
        const char *name;
@@ -35,7 +45,9 @@
        {"icmp-host-prohibited", "host-prohib",
         IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
        {"tcp-reset", "tcp-reset",
-        IPT_TCP_RESET, "TCP RST packet"}
+        IPT_TCP_RESET, "TCP RST packet"},
+       {"icmp-admin-prohibited", "admin-prohib",
+        IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
 };

 static void
@@ -64,6 +76,8 @@
 "                                a reply packet according to type:\n");

        print_reject_types();
+
+       printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n");
 }

 static struct option opts[] = {
diff -urN iptables-1.2.8/iptables.8 iptables-1.2.8+admin-prohib/iptables.8
--- iptables-1.2.8/iptables.8   Mon Mar  3 23:23:22 2003
+++ iptables-1.2.8+admin-prohib/iptables.8      Sat Jul 26 03:47:31 2003
@@ -852,8 +852,9 @@
 .BR icmp-host-unreachable ,
 .BR icmp-port-unreachable ,
 .BR icmp-proto-unreachable ,
-.BR "icmp-net-prohibited or"
-.BR icmp-host-prohibited ,
+.BR icmp-net-prohibited ,
+.BR "icmp-host-prohibited or"
+.BR "icmp-admin-prohibited (*)"
 which return the appropriate ICMP error message (\fBport-unreachable\fP is
 the default).  The option
 .B tcp-reset
@@ -862,6 +863,8 @@
 .I ident
 (113/tcp) probes which frequently occur when sending mail to broken mail
 hosts (which won't accept your mail otherwise).
+.TP
+(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
 .SS SNAT
 This target is only valid in the
 .B nat

Re: --reject-with admin-prohib not working

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 779 bytes --]

On Sat, Jul 26, 2003 at 12:15:22AM +0200, Internet Protocol version Six wrote:
> Hello all,
> 
> like the subject says, it is not working for me, I applied the PoM
> patch to the kernel, compiled the kernel, even recompiled iptables and
> it still gives me "iptables v1.2.8: unknown reject type
> `admin-prohib'"

just use iptables from CVS.  I should do a 1.2.9 release, if only for
this issue.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: --reject-with admin-prohib not working

[Internet Protocol version Six]

Works great, thanks :)

> ----------------------------------------
> From: Harald Welte <laforge@netfilter.org>
> Sent: Wed Jul 30 16:02:14 GMT+02:00 2003
> To: Internet Protocol version Six <inet6@mail.be>
> Subject: Re: --reject-with admin-prohib not working
> 
> 
> On Sat, Jul 26, 2003 at 12:15:22AM +0200, Internet Protocol version Six wrote:
> > Hello all,
> > 
> > like the subject says, it is not working for me, I applied the PoM
> > patch to the kernel, compiled the kernel, even recompiled iptables and
> > it still gives me "iptables v1.2.8: unknown reject type
> > `admin-prohib'"
> 
> just use iptables from CVS.  I should do a 1.2.9 release, if only for
> this issue.
> 
> -- 
> - Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
> ============================================================================
>   "Fragmentation is like classful addressing -- an interesting early
>    architectural error that shows how much experimentation was going
>    on while IP was being designed."                    -- Paul Vixie

-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be