Re: IP Masq question in pre-2.0.31-1

Nigel Metheringham (Nigel.Metheringham@ThePLAnet.net)
Mon, 14 Jul 1997 11:20:36 +0100


} Just out of curiosity, why is the code that prints things like:
}
} MASQ: forward ICMP: failed checksum from 208.136.4.175!
} MASQ: forward ICMP: failed checksum from 151.200.189.101!
}
} outside the ifdef's for CONFIG_IP_MASQUERADE_ICMP. i.e. I don't have
} CONFIG_IP_MASQUERADE_ICMP set in this kernel though I do have
} CONFIG_IP_MASQUERADE, yet am seeing the above on a multi-ether linux
} router. Is there a good reason not obvious to me, or is it an oversight?

Its not an oversight (honest!).

The code for handling ICMP actually breaks down into 2 different sections:-

1. Code handling ICMP packets which are associated with TCP/UDP
connections
[I use "connections" rather loosely here]. ie ICMP packets related
to
PATH MTU discovery etc. This basically means that ICMP packets that
are
for destination unreachable, ttl exceeded or source quench AND the
embedded
proto information is for an already masq-ed connection are handled.

2. Code handling all ICMP packets as ICMP...

The code to handle (1) existed before the real ICMP handling code was
written - it came in a bit before 2.0.0. Without that code all sorts of
things fall apart - especially if you try and do MTU discovery.
[incidently if ICMP handling is disabled ping from inside the masq network
doesn't work - as expectec - BUT Unix traceroute does work since it uses
UDP probe packets and gets ICMPs back related to those packets. MS
tracert doesn't work without full ICMP support since it uses ICMP probe
packets].

Nigel.

-- 
[ Nigel.Metheringham@theplanet.net   -  Systems Software Engineer ]
[ Tel : +44 113 251 6012                   Fax : +44 113 224 0003 ]
[            Friends don't let friends use sendmail!              ]