the first one states that there is a problem with tcp checksum in the case a packet had been stripped of ecn bits. The problem was also reported by Graham Murray in Agust.
the answer was that this is due to tcpdump getting a cloned copy of the packet:
now, if I send tcp packet stripped with -ecn-tcp-remove to a box and i dump packets there, tcp checksum is incorrect and the box will be not respondig. If I remove the rule, packets are getting there with the correct checksum and the box responds.
What's interesting is that if I put these rules:
iptables -A OUTPUT -t mangle -o ppp0 -p tcp -d my.host.org --dport 80 -j ECN --ecn-tcp-remove
iptables -A OUTPUT -o ppp0 -p tcp -d my.host.org --dport 80 -m unclean -j DROP
packets will be actually dropped! something strange for being normal, isn't it? or iptables treats as unclean ecn stripped packets, and this is supposed to be normal? anyway iptables seems not to be the only one, so ECN target is actually preatty useless.
(using linux-2.4.20 and iptables-1.2.7a)
Thanks for you attention.
Andrea
Subject:-j ECN --ecn-tcp-remove seems to be mangling the TCP checksum... From: netfilter@horizon.com Date: 27 Sep 2002 06:27:53 -0000 To: netfilter@lists.netfilter.org
bash-2.05b# iptables -t mangle -A fix-ecn -d 1.1.1.1 -p tcp -j ECN --ecn-tcp-remove
bash-2.05b# echo 1 > /proc/sys/net/ipv4/tcp_ecn ; telnet 1.1.1.1 80
01:52:20.662338 science.horizon.com.11058 > 1.1.1.1.www: S [bad tcp cksum bf40!] 2655433521:2655433521(0) win 5840 <mss 1460,sackOK,timestamp 14290984 0,nop,wscale 0> (DF) [tos 0x10] (ttl 64, id 41753, len 60)
4510 003c a319 4000 4006 716c c023 6401
0101 0101 2b32 0050 9e46 b331 0000 0000
a002 16d0 3c55 0000 0204 05b4 0402 080a
00da 1028 0000 0000 0103 0300
Now I'll turn tcp_ecn off again:
bash-2.05b# echo 0 > /proc/sys/net/ipv4/tcp_ecn ; telnet 1.1.1.1 80
01:52:36.771155 science.horizon.com.11059 > 1.1.1.1.www: S [tcp sum ok] 2671050014:2671050014(0) win 5840 <mss 1460,sackOK,timestamp 14292595 0,nop,wscale 0> (DF) [tos 0x10] (ttl 64, id 60269, len 60)
4510 003c eb6d 4000 4006 2918 c023 6401
0101 0101 2b33 0050 9f34 fd1e 0000 0000
a002 16d0 2bed 0000 0204 05b4 0402 080a
00da 1673 0000 0000 0103 0300
Notice the bad tcp checksum in the third case.
Subject: Re: -j ECN --ecn-tcp-remove seems to be mangling the TCP checksum... From: Maciej Soltysiak <solt@dns.toxicfilms.tv> Date: Mon, 30 Sep 2002 11:55:56 +0200 (CEST) To: netfilter@horizon.com CC: netfilter@lists.netfilter.org
Is this a bug? The ipt_ECN.c file is ipt_ECN.c,v 1.4 2002/08/05 19:36:51 laforge ExpNo it is not. Do the same with a remote host. Send a ECNstripped packets to some other host, and tcpdump there. The checksum will be ok. It is the problem with tcpdump getting a cloned copy of the packet, read the RR's FIXME notes in netfilter sources about it. I noticed that too, once, and thought it's a checksum calculation bug. Maciej Soltysiak
