On Fri, 27 May 2005, Leonardo wrote: > On 5/26/05, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > > > > Do the packet correspond to what you expect as ICMP reply packet: src and > > dst IP addresses are OK? What's inside the packet, i.e the src/dst IP, > > protocol, ports inside the ICMP error message are OK? > > Everything seems to be ok... src is the next hop after the gateway on > eth2 (the VPN box), dst is eth2, TCP ports are ok. ICMP msg correctly > encapsulate the previos IP datagram (ACK number correspond) that needs > fragmentation... > On the other hand ICMP echo packets works correctly, they report the > same dst (eth2) and are correctly unmasqueraded and forwarded to the > client... > > Could it be something distribution-related setting or patch? > I'm using Gentoo. Dunno. It should work out of the box. Enable debugging in net/ipv4/netfilter/ip_conntrack_proto_icmp.c by changing #if 0 #define DEBUGP printk to #if 1 #define DEBUGP printk at the head of the file. Then recompile and boot with the new kernel. Also, load in the ipt_LOG module and switch on internal logging in netfilter/conntrack by echo 255 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid Then repeat the tests and watch the kernel log. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
