Re: Re: multipath routing problem [Shorter version] - Helpstill needed :-)

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2002-10-25 at 20:45, Julian Anastasov wrote:
> 
> 	Hello,
> 
> On Fri, 25 Oct 2002, Arthur van Leeuwen wrote:
> 
> > > 	Now I see, then the TOS is a big problem for you. May
> > > be your problem will be solved if TOS is not a routing key but
> > > it does not sound as a thing that is easy to fix in kernel.
> >
> > Actually, you can simply play whack-a-mole with the TOS value, using
> > ipchains (or iptables), killing all TOS values present on the packets.
> > Ofcourse, this is not very *nice*, but it'll work.
> 
> 	This is a good idea. Vincent, may be you can play with
> ipchains -t AND XOR in the input chain to see what happens. Just make sure 
> you don't touch bits 0, 1, 5, 6, 7. It seems the routing uses only bits
> 2, 3 and 4 for routing key (if I'm not overlooking something).
> This is for kernel 2.4. For kernel 2.2 it seems bit 1 is also
> included in the routing key.
> 
> 2.4		mask 0x1C, inverted 0xE3
> 2.2		mask 0x1E, inverted 0xE1
> 
> 	So, for 2.2 may be:
> 
> ipchains -I input -d 0.0.0.0/0 22 -t 0xE3 0x00
Just tried. Now SSH connections don't break anymore !!! :) Thanks !
Am I suppose to do this on both side, or doing this on the firewall
itself is enough ? 

> 
> 	What are the TOS values used during the SSH session?
Right after authentication, TOS value is set to 0x10

20:53:46.515566 192.168.0.2.ssh > 172.1.1.3.2418: R
4008315859:4008315859(0) win 0 [tos 0x10]

The only problem with this, is that I will need to do this trick for any
applications changing it's TOS during the session. It seems that FTP
behaves exactly the same way as SSH, regarding the TOS field.

Do you guys know if many applications do this ? Or is this just
particular to SSH & FTP ?

Anyway, I really would like to understand why it doesn't work when doing
NAT.

A big thanks to both of you. I've learned a lot today :)

Thanks again.
Regards,
Vincent.

> 
> Regards
> 
> --
> Julian Anastasov <ja@ssi.bg>
-- 
Vincent Jaussaud
Kelkoo.com Security Manager 
email: tatooin@kelkoo.com

"The UNIX philosophy is to design small tools that do one thing, and do
it well."

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux