From 6d473e818ca08f76d00235ed8da0bf68a1bed9fc Mon Sep 17 00:00:00 2001 From: Alexander Langer Date: Sun, 15 Mar 1998 00:36:27 +0000 Subject: [PATCH] Allow ICMP unreachable messages to be sent in response to ICMP query packets (as per Stevens volume 1 section 6.2). --- sys/netinet/ip_fw.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 854879a19e08..6eac53f9b12b 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -1,7 +1,7 @@ /* - * Copyright (c) 1996 Alex Nash * Copyright (c) 1993 Daniel Boulet * Copyright (c) 1994 Ugen J.S.Antsilevich + * Copyright (c) 1996 Alex Nash * * Redistribution and use in source forms, with and without modification, * are permitted provided that this entire comment appears intact. @@ -12,7 +12,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.c,v 1.77 1998/02/09 06:10:10 eivind Exp $ + * $Id: ip_fw.c,v 1.78 1998/02/12 00:57:04 alex Exp $ */ /* @@ -166,6 +166,23 @@ icmptype_match(struct icmp *icmp, struct ip_fw *f) return(0); /* no match */ } +static int +is_icmp_query(struct ip *ip) +{ + const struct icmp *icmp; + int icmp_type; + + icmp = (struct icmp *)((u_long *)ip + ip->ip_hl); + icmp_type = icmp->icmp_type; + + if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ROUTERSOLICIT || + icmp_type == ICMP_TSTAMP || icmp_type == ICMP_IREQ || + icmp_type == ICMP_MASKREQ) + return(1); + + return(0); +} + static int ipopts_match(struct ip *ip, struct ip_fw *f) { @@ -597,11 +614,11 @@ got_match: * Send a reject notice if all of the following are true: * * - The packet matched a reject rule - * - The packet is not an ICMP packet + * - The packet is not an ICMP packet, or is an ICMP query packet * - The packet is not a multicast or broadcast packet */ if ((rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT - && ip->ip_p != IPPROTO_ICMP + && (ip->ip_p != IPPROTO_ICMP || is_icmp_query(ip)) && !((*m)->m_flags & (M_BCAST|M_MCAST)) && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { switch (rule->fw_reject_code) {