patch-2.4.17 linux/net/ipv4/netfilter/ipt_MIRROR.c
Next file: linux/net/ipv4/netfilter/ipt_TCPMSS.c
Previous file: linux/net/ipv4/netfilter/ip_nat_irc.c
Back to the patch index
Back to the overall index
- Lines: 59
- Date:
Fri Dec 21 16:40:33 2001
- Orig file:
linux-2.4.16/net/ipv4/netfilter/ipt_MIRROR.c
- Orig date:
Sun Sep 30 19:26:08 2001
diff -Naur -X /home/marcelo/lib/dontdiff linux-2.4.16/net/ipv4/netfilter/ipt_MIRROR.c linux/net/ipv4/netfilter/ipt_MIRROR.c
@@ -6,6 +6,10 @@
Copyright (C) 2000 Emmanuel Roger <winfield@freegates.be>
+ Changes:
+ 25 Aug 2001 Harald Welte <laforge@gnumonks.org>
+ - decrement and check TTL if not called from FORWARD hook
+
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
@@ -24,6 +28,7 @@
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/ip.h>
+#include <net/icmp.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netdevice.h>
#include <linux/route.h>
@@ -100,15 +105,31 @@
const void *targinfo,
void *userinfo)
{
- if ((*pskb)->dst != NULL) {
- if (route_mirror(*pskb)) {
- ip_rewrite(*pskb);
- /* Don't let conntrack code see this packet:
- it will think we are starting a new
- connection! --RR */
- ip_direct_send(*pskb);
- return NF_STOLEN;
+ if (((*pskb)->dst != NULL) &&
+ route_mirror(*pskb)) {
+
+ ip_rewrite(*pskb);
+
+ /* If we are not at FORWARD hook (INPUT/PREROUTING),
+ * the TTL isn't decreased by the IP stack */
+ if (hooknum != NF_IP_FORWARD) {
+ struct iphdr *iph = (*pskb)->nh.iph;
+ if (iph->ttl <= 1) {
+ /* this will traverse normal stack, and
+ * thus call conntrack on the icmp packet */
+ icmp_send(*pskb, ICMP_TIME_EXCEEDED,
+ ICMP_EXC_TTL, 0);
+ return NF_DROP;
+ }
+ ip_decrease_ttl(iph);
}
+
+ /* Don't let conntrack code see this packet:
+ it will think we are starting a new
+ connection! --RR */
+ ip_direct_send(*pskb);
+
+ return NF_STOLEN;
}
return NF_DROP;
}
FUNET's LINUX-ADM group, linux-adm@nic.funet.fi
TCL-scripts by Sam Shen (who was at: slshen@lbl.gov)