Linux IP Masquerade

Info on Nigel's Bumper masquerading kernel patches

Quoted from a post on the mailing list by Nigel Metheringham:

March 3, 1997

[Several people are on the copy list of this message because their patches were integrated into this mega-patch. I'd appreciate it if you could check that I have not broken anything critical]

Attached to this message is a gzip compressed patch file which is the second beta version of my new bumper masq patch.

This contains everything that the old bumper patch did, and some new things...!!!

It is *lightly* tested (ie some functions are completely untested), however the majority of the code has been running here for a while. I'd particularly appreciate it if people could look at the multiple port support for modules (Real Audio and VDOlive is tested, the others just grafted in mechanically).

The quake module and ipautofw are completely untested by me other than checking they compile - I just don't have the kit to test them here. Please pass comments back to me - its probably not worth putting them to the masq list right now.

Here is a rough draft of a new README for the patch...

Not all of these patches are mine. This includes:-


        FTP keep alive support          - Keith Owens
        CUSeeMe module                  - Richard Lynch
        ICMP masquerading               - Delian Delchev
        ICMP/ICMP masquerading          - Nigel Metheringham
        VDOLive module                  - Nigel Metheringham
        RealAudio module fixes          - Nigel Metheringham
        Multi port handling for helpers - Nigel Metheringham
        Quake Module                    - Harald Hoyer
        ipautofw support                - Richard Lynch
I have also cleaned up the ICMP handling somewhat. The ICMP/ICMP handling means that ICMP error packets containing ICMP request/reply packets are now handled correctly - meaning that the tracert program from windows 95 will now work.

A number of long standing (but undiscovered) ICMP bugs were fixed. Doubtless some new ones were added!

The multiple port handling adds the handling of a ports=x1,x2... parameter to the insmod line. The parameters are a list of port numbers and can be passed on the command line or put in /etc/conf.modules (or /etc/modules.conf depending on your system) where they will be loaded when you use modprobe. For example, to make the RealAudio module handle connections to ports 7070, 7071 and 7072 (Real Audio servers often use any of a range of ports from 7070 to 7080), then you can load the module using insmod:-

        insmod ip_masq_raudio.o ports=7070,7071,7072

or put this in the config file

        options ip_masq_raudio.o ports=7070,7071,7072

and load with modprobe.
It will be safest to always specify at least 2 ports to ensure that it is not treated as a scalar instead of an integer array (unwanted ports can be specified as zero). The number of ports that can be handled is specified by MAX_MASQ_APP_PORTS which is in ip_masq.h and is currently set to 12.

All modules still default as before.

All Makefile mods etc are included. 1 config change is made. There is now an option to switch on/off the ICMP masquerading - CONFIG_IP_MASQUERADE_ICMP, and another one to switch in the ipautofw support - CONFIG_IP_MASQUERADE_IPAUTOFW. The help text used for the config stuff has been upgraded to reflect these changes.

Since little has changed with the ipv4 implementation I expect these patches to apply fairly cleanly to anything above 2.0.20. They were made against a clean 2.0.29 source tree. Version 2.0.29 works well in normal use.

To apply, cd into your linux source dir (/usr/src/linux normally) patch -p1 Since there are now 5 timeout parameters - ie

        TCP connection 
        TCP FIN 
        UDP 
        control channel 
        ICMP (if defined)
you will find that ipfwadm can no longer set the timeouts. To fix this there is a patch for ipfwadm on the IP Masquerading web site (URL below).

Please note that information about IP Masquerading in general is also on the web site, along with current patches for IP Masq support.

http://www.wwonline.com/~achau/ipmasq/

Thanks to Ambrose Au for his work on this site.

Other information on IP masquerading, including information about the mailing lists, can be found at

http://www.indyramp.com/masq/

Please look at these pages (and the adverts which help fund the indyramp mailing lists and ftp site for masquerading).

Nigel.

Please send comment about these patches to Nigel Metheringham

Additional Info on the ICMP, VDO Live and Real Audio Patches

Quoted from a post on the mailing list by Nigel Metheringham:

I said nearly 2 weeks back that I would clean up my patches for these an put them out. I haven't had time to do this properly, so I am just putting the patches out as an interim measure and will clean them later.

There are 3 sets in here, with an odd division which is historical rather than functional. They are part of the kernel build process I use for the stuff I am working on. The 3 files patch in order, and are:-

        icmp_masq.2.patch       - ICMP masquerading
        ip_masq_vdolive.patch   - VDOlive support and RealAudio fixes
        masq_beta.1.patch       - fix up of Makefile

They assume that the ftp and cuseeme patches are already in.

The ICMP code is *not* mine - I have only made minor mods to make it patch in cleanly. They come from Delian Delchev

The other code is mine.

The additional timeouts added by the ftp and icmp code break ipfwadm. A patch for that is included in ipfwadm-2.3.0-generic-timeout.patch This requires that the following defines be added to the Makefile to enable the code

-DMASQ_GENERIC_TIMEOUTS -DMASQUERADE_ICMP

some of the code is compiled in if these are left out - basically things will display correctly with -l -M, but you will not be able to change timeouts or ICMPs.

For the timeouts you just put n integers - the kernel uses them in the order TCP, TCP_FIN, UDP, control, ICMP.

Sorry that this is patchy, I decided to put it out rather than wait for time to neaten it up! NB The vdolive code is pretty much official now. Those that took beta copies with restricted conditions can just forget that and use this (which is the same) now.

Please send comment about these patches to Nigel Metheringham


[Back to IP Masquerade Resource]


All rights reserved for their respective owners.