On Fri, Dec 27, 2002 at 07:36:24AM +0000, Athanasius wrote: > iptables -t mangle -A OUTPUT -o eth1 -p tcp -d IP/32 --match ecn --ecn-ip-ect 0 -j ECN --ecn-tcp-remove > > 07:32:02.470307 80.4.77.247.33919 > 212.250.5.117.80: S [bad tcp cksum bf40!] 322522142:322522142(0) win 5840 <mss 1460,sackOK,timestamp 2077600 0,nop,wscale 0> (DF) (ttl 64, id 65470, len 60) > > and the packets never seem to do much. Of course once I'd added a few > -v's to tcpdump as above I can see the problem "[bad tcp cksum bf40!]". > It would seem that mangling the packet in this way is causing the tcp > checksum to become invalid. I should have said this before. This is specifically using kernel 2.4.21-pre21, no additional patches, and iptables-1.2.7a as provided in Debian unstable (I grabbed the source the compiled and installed it on a Debian stable/woody/3.0 system). Looking at latest CVS there doesn't seem to be any changes to the code in net/ipv4/netfilter/ipt_ECN.c. Not being uptospeed with how the code all works it looks like it should be working: 89 if (diffs[0] != *tcpflags) { 90 diffs[0] = htons(diffs[0]) ^ 0xFFFF; 91 diffs[1] = htons(*tcpflags); 92 tcph->check = csum_fold(csum_partial((char *)diffs, 93 sizeof(diffs), 94 tcph->check^0xFFFF)); 95 (*pskb)->nfcache |= NFC_ALTERED; 96 97 return 1; 98 } But it obviously isn't. -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00230.pgp
Description: PGP signature