Very Computer

This changes the firewalling code so that the interface address specified to
ipfw (iface xxx.xxx.xxx.xxx) is the address of the _other_ end of the link
(not this machine) for point-to-point links (and this machine's address for
all other links, as it has always been).

This has been tested (on my own system for about a week), and I have mailed
it to Alan Cox.

Patch to Linux 1.2.13 linux/net/inet/ip_fw.c follows; I place it in the
public domain. The only fix to /sbin/ipfw this needs is a correction to the
man page to say that the interface address is the other end of the link for
point-to-point links.

--- ip_fw.c.org Fri Nov 17 18:59:46 1995

                         */
                        if(f->fw_via.s_addr && rif)
                        {
-                               if(rif->pa_addr!=f->fw_via.s_addr)
-                                       continue;       /* Mismatch */
+                               /*
+                                * For point-to-point links, the address is
+                                * the address of the other end of the link;
+                                * for others, the interface address
+                                */
+                               if(rif->flags&IFF_POINTOPOINT)
+                               {
+                                       if (rif->pa_dstaddr!=f->fw_via.s_addr)
+                                               continue;       /* Mismatch */
+                               }
+                               else
+                               {
+                                       if (rif->pa_addr!=f->fw_via.s_addr)
+                                               continue;       /* Mismatch */
+                               }
                        }
                        /*
                         *      Drop through - this is a match

--

  Someone might have noticed that if you have a point-to-point link and an
  Ethernet or similar link in the same machine, they have the same interface
  (IP) address and thus cannot be firewalled with the normal interface-based
  firewall in the Linux (1.2.x at least) networking code. Here's a patch for
  that.

  This changes the firewalling code so that the interface address specified to
  ipfw (iface xxx.xxx.xxx.xxx) is the address of the _other_ end of the link
  (not this machine) for point-to-point links (and this machine's address for
  all other links, as it has always been).

I can't speak for how anyone else has their system configured, but I give
my PPP interface a different local IP address than my ethernet interface,
so this has never been a problem.  I wasn't aware it was reasonable to have
multiple interfaces with the same local IP address.

                Leonard

I've also setup a machine whose SLIP interface was xx.xx.xx.2 and the
ethernet interface was xx.xx.xx.4. This worked (and is working) just
fine.

--
Chris

I think it's good to have this possibility... And I'm using it. :)

--

"And with great power comes great responsibility. Use it wisely."
 - AD&D 2nd edition Dungeon Master's Guide

Also, this method needs no modifications to /sbin/ipfw (just a note in the
man page...).

Quote:>Whereas if you use one IP address for everything, all the tools _except_
>the firewall code works just as it should.

Quote:>Being able to reuse one address for multiple interfaces is a Good Thing.
>It doesn't make sense to waste two per link if it can be avoided.

--

"Many are the strange chances of the world, and help oft shall come from
the hands of the weak when the Wise falter." - J. R. R. Tolkien

Quote:> >Being able to reuse one address for multiple interfaces is a Good Thing.
> >It doesn't make sense to waste two per link if it can be avoided.

> Yep. And especially not two C-class networks per such a link as some routing
> configuration documents seem to suggest.

These days you can use a /30 subnet (thanks to CIDR) for links that do
require their own network (some ISDN implementations on SysV systems with
brain-dead ancient networking code), but of course it must not be the a
subnetwork of the Ethernet you're otherwise using (that's the fault of the
"ancient networking" part).

Am I _ever_ glad that there are systems like Linux where problems are
_fixable_ when we find them.

--
Facts do not cease to exist because they are ignored.
               --Aldous Huxley
--

Schleiermacherstra?e 12  \  Unix+Linux+Mac    | Phone: ...please use email.
90491 Nrnberg (Germany)  \   Consulting+Networking+Programming+etc'ing     42
          PGP: 1B 89 E2 1C 43 EA 80 44  15 D2 29 CF C6 C7 E0 DE
      Click <A HREF="http://smurf.noris.de/~urlichs/finger">here</A>.

: Well, if you don't have IP addresses to waste... And different local and
: remote addresses easily generate problems with things like DNS...

It depends on what you are doing I suppose. What I understand to be
"more" standard, your PPP link has its own address so that it can be
a part of the other network. Your ethernet has its own address so it
can be a part of the local network. As long as

a) If you are routing, and you know it, clap your hands. (sorry)
b) If you are *not* routing, cause either
   1) Your local IP network is on a "illegal", non-routable, or unconnected
      network.
   2) Your local IP is linked by default through another loop, you
      certainly don't want to do something evil like routing.

As I understood it, IP Aliasing was making your machine look like several
different machines.

IP Masqerading was to make machines on your network on ref A.1 available.

Am I missing something? My machine never gets confused about which IP it
is supposed to be using. I have no idea why. :-)

eric
--
---


   ***G'Kar: "Weep for the chicken, Na'Toth. Weep for us all"***

Quote:>IP Masqerading was to make machines on your network on ref A.1 available.

Quote:>Am I missing something? My machine never gets confused about which IP it

--

"The fire's very cosy here, and the food's /very/ good, and there are
Elves when you want them. What more could one want?" - J. R. R. Tolkien

Quote:

> It depends on what you are doing I suppose. What I understand to be
> "more" standard, your PPP link has its own address so that it can be
> a part of the other network. Your ethernet has its own address so it
> can be a part of the local network. As long as

Quote:> As I understood it, IP Aliasing was making your machine look like several
> different machines.

--

Schleiermacherstra?e 12  \  Unix+Linux+Mac    | Phone: ...please use email.
90491 Nrnberg (Germany)  \   Consulting+Networking+Programming+etc'ing     42
          PGP: 1B 89 E2 1C 43 EA 80 44  15 D2 29 CF C6 C7 E0 DE
      Click <A HREF="http://smurf.noris.de/~urlichs/finger">here</A>.