Le jeu 08/04/2004 à 10:06, raman mittal a écrit : > I am student graduating in Indian Institute of Technology, India. > I have a small problem regarding IP tables.I am capturing DNS reply > packets (which are later to be forwarded to a client)at the firewall and > QUEUEing them using IPQ library for altering the DNS answer section in the > user space using the forward chain of filter table. OK. > i have changed the answer section of the dns reply, which results in > change of checksum fields in IP and UDP header.I have also corrected the > checksum of both the headers but the problem is that after doing > this,reverse SNAT takes place automatically (because Of DNAT done > earlier)which again changes the checksum and the packets get dropped at > the client side. I must admit I'm quite puzzled. UDP packet containing DNS answer arrives, with good checksums. You capture it and modify DNS answer. For it may modify data length, you have to recompute IP checksum. For it modifies UDP payload, you have to recompute UDP checksum as well. So you reinject a packet with good checksums. Then goes SNAT which modifies IP, and optionnaly UDP, header, so recomputes checksum. But checksums recomptued by SNAT should be good as well. So my question : are you sure checksums are to blame for packet rejection at client side ? If they're OK, there's no reason for the packet to get rejected. BTW, UDP checksum is optional. Maybe you zero it to disable UDP checksum check at client side. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
