On Fri, Dec 27, 2002 at 07:36:24AM +0000, Athanasius wrote:
> iptables -t mangle -A OUTPUT -o eth1 -p tcp -d IP/32 --match ecn --ecn-ip-ect 0 -j ECN --ecn-tcp-remove
>
> 07:32:02.470307 80.4.77.247.33919 > 212.250.5.117.80: S [bad tcp cksum bf40!] 322522142:322522142(0) win 5840 <mss 1460,sackOK,timestamp 2077600 0,nop,wscale 0> (DF) (ttl 64, id 65470, len 60)
>
> and the packets never seem to do much. Of course once I'd added a few
> -v's to tcpdump as above I can see the problem "[bad tcp cksum bf40!]".
> It would seem that mangling the packet in this way is causing the tcp
> checksum to become invalid.
I should have said this before. This is specifically using kernel
2.4.21-pre21, no additional patches, and iptables-1.2.7a as provided in
Debian unstable (I grabbed the source the compiled and installed it on a
Debian stable/woody/3.0 system).
Looking at latest CVS there doesn't seem to be any changes to the code
in net/ipv4/netfilter/ipt_ECN.c. Not being uptospeed with how the code
all works it looks like it should be working:
89 if (diffs[0] != *tcpflags) {
90 diffs[0] = htons(diffs[0]) ^ 0xFFFF;
91 diffs[1] = htons(*tcpflags);
92 tcph->check = csum_fold(csum_partial((char *)diffs,
93 sizeof(diffs),
94 tcph->check^0xFFFF));
95 (*pskb)->nfcache |= NFC_ALTERED;
96
97 return 1;
98 }
But it obviously isn't.
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00230.pgp
Description: PGP signature
