ipq_set_verdict problem in bridge+iptables

ipq_set_verdict problem in bridge+iptables

[Yong Li]

Hello All,

I encountered a problem with the ipq_set_verdict function. I want to modify
the packet content and size using the ipq_set_verdict function. However, I
found I cannot change the IP packet size more than 400+ bytes. Is it a known
issue?

Thanks in advance!

Yong

Re: ipq_set_verdict problem in bridge+iptables

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]

On Sun, Jul 13, 2003 at 11:11:16AM +0800, Yong Li wrote:
> Hello All,
> 
> I encountered a problem with the ipq_set_verdict function. I want to modify
> the packet content and size using the ipq_set_verdict function. However, I
> found I cannot change the IP packet size more than 400+ bytes. Is it a known
> issue?

what do you mean by 'I cannot' ? What happens?  Is an error returned to
the ipq_set_verdict() call?  Is the packet silently discarded?  Is the
packet truncated?

Anyway, it should work.  But if you exceed the outgoing interface's MTU,
I could imagine that no fragmentation happens...

> Thanks in advance!
> Yong

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: ipq_set_verdict problem in bridge+iptables

[Yong]

----- Original Message ----- 
From: "Yong" <sdssly@sina.com>
To: "Harald Welte" <laforge@netfilter.org>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Tuesday, July 15, 2003 9:22 AM
Subject: Re: ipq_set_verdict problem in bridge+iptables


> Hello Harald,
> 
> Thank you for your emails!
> 
> I want to use the iptable_queue in bridge+iptables environment. I can get the packet in userspace using -j QUEUE command. However, If I change the packet size. for example, I change the ping icmp packet size to 400, the packet Ethernet header is changed. In my test, the MAC address is changed to 0xffffffffff. I can capture this packet using sniffer tool. Since the MAC address is changed, the other computer cannot receive the ICMP packet.
> 
> It seems that the bridge iptables patch changed something in the function ipq_set_verdict(). 
> 
> Regarding the MTU issue, you are right. the ipq_set_verdict function does not perform the IP fragment. If I send a packet larger than MTU, it is missing. Is it by design?
> 
> Can I modify the ipq_set_verdict function to perform the IP fragment?  Is there any patch for this IP fragment issue?
> 
> Thank you again for your help!
> 
> Yong
> 
> ----- Original Message ----- 
> From: "Harald Welte" <laforge@netfilter.org>
> To: "Yong Li" <sdssly@sina.com>
> Cc: <netfilter-devel@lists.netfilter.org>
> Sent: Monday, July 14, 2003 4:07 PM
> Subject: Re: ipq_set_verdict problem in bridge+iptables
> 
> On Sun, Jul 13, 2003 at 11:11:16AM +0800, Yong Li wrote:
> > Hello All,
> > 
> > I encountered a problem with the ipq_set_verdict function. I want to modify
> > the packet content and size using the ipq_set_verdict function. However, I
> > found I cannot change the IP packet size more than 400+ bytes. Is it a known
> > issue?
> 
> what do you mean by 'I cannot' ? What happens?  Is an error returned to
> the ipq_set_verdict() call?  Is the packet silently discarded?  Is the
> packet truncated?
> 
> Anyway, it should work.  But if you exceed the outgoing interface's MTU,
> I could imagine that no fragmentation happens...
> 
> > Thanks in advance!
> > Yong