COMMAND
ipfwadm
SYSTEMS AFFECTED
Linux
PROBLEM
Domas Mituzas found following. ipfwadm delivered with all major
Linux distributions doesn't know some new kernel features
(included into latest releases). One of them is ICMP Masquerading.
ipfwadm couldn't handle ICMP lines in /proc/net/ip_masquerade
therefore it brought "unexpected input data" error not showing
other records (that is TCP and UDP). Therefore if someone want's
that his connections were not seen by `ipfwadm -Ml` can just ping
one host and at the same time do what he wants. Of course the
operator can look into /proc/net directory, but it's difficult to
read ip addresses written in hex numbers...
SOLUTION
Domas has written a small fix to solve this problem - he just
added ICMP Masquerading support to ipfwadm. Here it is (you can
get ipfwadm distribution from ftp.xos.nl/pub/linux/ipfwadm):
--- ipfwadm.c.orig Tue Jul 30 14:54:22 1996
+++ ipfwadm.c Sat Nov 28 16:20:53 1998
@@ -1134,6 +1134,9 @@
else if (kind == IP_FW_F_UDP &&
(service = getservbyport(htons(port), "udp")) != NULL)
return service->s_name;
+ else if (kind == IP_FW_F_ICMP &&
+ (service = getservbyport(htons(port), "icmp")) != NULL)
+ return service->s_name;
else
return (char *) NULL;
}
@@ -1571,6 +1574,9 @@
case IP_FW_F_UDP:
fprintf(fp, "%-5s", "udp");
break;
+ case IP_FW_F_ICMP:
+ fprintf(fp, "%-5s", "icmp");
+ break;
}
sec100s = ms->expires % HZ;
@@ -1668,9 +1674,10 @@
ms->kind = IP_FW_F_TCP;
else if (strcmp("UDP", buf) == 0)
ms->kind = IP_FW_F_UDP;
+ else if (strcmp("ICMP", buf) == 0)
+ ms->kind = IP_FW_F_ICMP;
else
exit_error(1, "unexpected input data");
-
/* we always keep these addresses in network byte order */
ms->src.s_addr = (__u32) htonl(temp[0]);
ms->dst.s_addr = (__u32) htonl(temp[1]);