[PATCH] icmp-net-prohibited and icmp-host-prohibited for ipt_REJECT

Daniel Stone daniel@dustpuppy.ods.org
Sat, 10 Jun 2000 15:02:04 +1000 

Excuse my ignorance. It is "communication administratively prohibited" - in
the icmp dest-unreachable group, code 13, that is ignored. Communication
with net administratively prohibited (code 9) and communication with host
administratively prohibited (code 10) are still in use. My bad.

--reject-with icmp-net-prohibited and --reject-with net-prohibited (they're
one and the same) both yield "Network is unreachable", --reject-with
icmp-host-prohibited and --reject-with host-prohibited (again, one and the
same) both yield "No route to host".

Here's the patch to iptables-1.1.0 and the latest kernel
(2.4.0-test1-ac12) - they're separated by a line of --------------'s.
d

PS: Didn't provide a ChangeLog entry as Rusty maintains the scoreboard
stuff, and there is no ChangeLog. So, I hope it's still "Correct Form" :)

diff -urN --exclude=*.so* --exclude=*.o* --exclude=*~ --exclude=*.d iptables-1.1.0/extensions/libipt_REJECT.c iptables-1.1.0-hacked/extensions/libipt_REJECT.c
--- iptables-1.1.0/extensions/libipt_REJECT.c	Wed Apr 19 18:20:59 2000
+++ iptables-1.1.0-hacked/extensions/libipt_REJECT.c	Sat Jun 10 13:44:07 2000
@@ -27,7 +27,11 @@
 	{"icmp-proto-unreachable", "proto-unreach",
 		IPT_ICMP_PROT_UNREACHABLE, "ICMP protocol unreachable"},
 	{"echo-reply", "echoreply",
-		IPT_ICMP_ECHOREPLY, "for ICMP echo only: faked ICMP echo reply"}
+		IPT_ICMP_ECHOREPLY, "for ICMP echo only: faked ICMP echo reply"},
+	{"icmp-net-prohibited", "net-prohibited",
+		IPT_ICMP_NET_PROHIBITED, "ICMP communication with net prohibited"},
+	{"icmp-host-prohibited", "host-prohibited",
+		IPT_ICMP_HOST_PROHIBITED, "ICMP communication with host prohibited"}
 };
 
 static void
diff -urN --exclude=*.so* --exclude=*.o* --exclude=*~ --exclude=*.d iptables-1.1.0/iptables.8 iptables-1.1.0-hacked/iptables.8
--- iptables-1.1.0/iptables.8	Mon May  8 14:36:45 2000
+++ iptables-1.1.0-hacked/iptables.8	Sat Jun 10 14:11:04 2000
@@ -531,13 +531,20 @@
 The type given can be 
 .BR icmp-net-unreachable ,
 .BR icmp-host-unreachable ,
-.BR icmp-port-unreachable or
-.BR icmp-proto-unreachable
+.BR icmp-port-unreachable ,
+.BR icmp-proto-unreachable ,
+.BR icmp-net-prohibited or
+.BR icmp-host-prohibited
 which return the appropriate ICMP error message (net-unreachable is
 the default).  The option 
 .B echo-reply
 is also allowed; it can only be used for rules which specify an ICMP
 ping packet, and generates a ping reply.
+.B icmp-net-prohibited
+and 
+.B icmp-host-prohibited
+are NOT recommended! This is because these ICMP types are officially
+depreciated, and may break some routers/hosts. Use with caution.
 .SS TOS
 This is used to set the 8-bit Type of Service field in the IP header.
 It is only valid in the

---------------netfilter patch ends, kernel patch starts------------

diff -urN linux/CREDITS linux-admin-prohib/CREDITS
--- linux/CREDITS	Sat Jun 10 14:27:14 2000
+++ linux-admin-prohib/CREDITS	Sat Jun 10 14:48:06 2000
@@ -2394,6 +2394,12 @@
 S: DK-1860 Frederiksberg C
 S: Denmark
 
+N: Daniel Stone
+E: tamriel@ductape.net
+W: http://dustpuppy.ods.org
+D: Communication with {host|net} administratively prohibited patch for
+Netfilter's REJECT target
+
 N: Drew Sullivan
 E: drew@ss.org
 W: http://www.ss.org/
diff -urN linux/include/linux/netfilter_ipv4/ipt_REJECT.h linux-admin-prohib/include/linux/netfilter_ipv4/ipt_REJECT.h
--- linux/include/linux/netfilter_ipv4/ipt_REJECT.h	Tue Mar 28 04:35:56 2000
+++ linux-admin-prohib/include/linux/netfilter_ipv4/ipt_REJECT.h	Sat Jun 10 14:43:18 2000
@@ -6,6 +6,8 @@
 	IPT_ICMP_HOST_UNREACHABLE,
 	IPT_ICMP_PROT_UNREACHABLE,
 	IPT_ICMP_PORT_UNREACHABLE,
+	IPT_ICMP_NET_PROHIBITED,
+	IPT_ICMP_HOST_PROHIBITED,
 	IPT_ICMP_ECHOREPLY
 };
 
diff -urN linux/net/ipv4/netfilter/ipt_REJECT.c linux-admin-prohib/net/ipv4/netfilter/ipt_REJECT.c
--- linux/net/ipv4/netfilter/ipt_REJECT.c	Sat Jun 10 14:28:05 2000
+++ linux-admin-prohib/net/ipv4/netfilter/ipt_REJECT.c	Sat Jun 10 14:43:00 2000
@@ -43,6 +43,12 @@
     	case IPT_ICMP_PORT_UNREACHABLE:
     		icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
     		break;
+    	case IPT_ICMP_NET_PROHIBITED:
+    		icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);
+    		break;
+    	case IPT_ICMP_HOST_PROHIBITED:
+    		icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);
+    		break;	
     	case IPT_ICMP_ECHOREPLY: {
 		struct icmphdr *icmph  = (struct icmphdr *)
 			((u_int32_t *)(*pskb)->nh.iph + (*pskb)->nh.iph->ihl);