only first TCP SYN packet consulted in nat table chains

All of lore.kernel.org
 help / color / mirror / Atom feed

* only first TCP SYN packet consulted in nat table chains - bug or feature?
@ 2004-06-21 20:06 Krzysztof Rusocki
  2004-06-21 23:39 ` Peter Surda
  2004-06-22 13:19 ` Henrik Nordstrom
  0 siblings, 2 replies; 6+ messages in thread
From: Krzysztof Rusocki @ 2004-06-21 20:06 UTC (permalink / raw)
  To: netfilter-devel


Hi,

I have a Linux 2.4.27-pre2 based nat box,
which also alters TCPMSS of packets it
passes through.

For really long period of time I used
rule created by the following iptables combo:

iptables -t nat -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN \
	-m tcpmss --mss 1453: -j TCPMSS --set-mss 1452

However, quite recently I discovered
that first TCP SYN packet's MSS is altered
and latter SYN packets (in case of retransmission)
have MSS unchanged (1460 - ether).

Relevant tcpdump output (ppp0) follows:
19:23:33.178771 83.27.53.238.1206 > 1.2.3.4.45454: S [tcp sum ok]
	1844185893:1844185893(0) win 5840
	<mss 1452,sackOK,timestamp 54616709 0,nop,wscale 0> (DF)
	[tos 0x10]  (ttl 63, id 27040, len 60)   
19:23:36.177492 83.27.53.238.1206 > 1.2.3.4.45454: S [tcp sum ok]
	1844185893:1844185893(0) win 5840
	<mss 1460,sackOK,timestamp 54619709 0,nop,wscale 0> (DF)
	[tos 0x10]  (ttl 63, id 27041, len 60)   
19:23:42.175696 83.27.53.238.1206 > 1.2.3.4.45454: S [tcp sum ok]
	1844185893:1844185893(0) win 5840
	<mss 1460,sackOK,timestamp 54625709 0,nop,wscale 0> (DF)
	[tos 0x10]  (ttl 63, id 27042, len 60)

I'm just being curious here - is this a bug or feature?

For the time being I have changed that rule to use
mangle table...


Cheers,
Krzysztof

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: only first TCP SYN packet consulted in nat table chains - bug or feature?
  2004-06-21 20:06 only first TCP SYN packet consulted in nat table chains - bug or feature? Krzysztof Rusocki
@ 2004-06-21 23:39 ` Peter Surda
  2004-06-22 13:19 ` Henrik Nordstrom
  1 sibling, 0 replies; 6+ messages in thread
From: Peter Surda @ 2004-06-21 23:39 UTC (permalink / raw)
  To: netfilter-devel

On Mon, Jun 21, 2004 at 10:06:52PM +0200, Krzysztof Rusocki wrote:
> Hi,
Hi.

> However, quite recently I discovered that first TCP SYN packet's MSS is
> altered and latter SYN packets (in case of retransmission) have MSS
> unchanged (1460 - ether).
Yes.

> I'm just being curious here - is this a bug or feature?
Feature, nat is only traversed for packets with NEW state.

> For the time being I have changed that rule to use mangle table...
That's where it should be.

> Cheers,
> Krzysztof
Bye,

Peter Surda (Shurdeek) <shurdeek@routehat.org>, ICQ 10236103, +436505122023

-- 
   If Bill Gates had a dime for every time a Windows box crashed...
                ...Oh, wait a minute, he already does.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: only first TCP SYN packet consulted in nat table chains - bug or feature?
  2004-06-21 20:06 only first TCP SYN packet consulted in nat table chains - bug or feature? Krzysztof Rusocki
  2004-06-21 23:39 ` Peter Surda
@ 2004-06-22 13:19 ` Henrik Nordstrom
  2004-06-22 13:33   ` Eric Leblond
  1 sibling, 1 reply; 6+ messages in thread
From: Henrik Nordstrom @ 2004-06-22 13:19 UTC (permalink / raw)
  To: Krzysztof Rusocki; +Cc: netfilter-devel

On Mon, 21 Jun 2004, Krzysztof Rusocki wrote:

> For really long period of time I used
> rule created by the following iptables combo:
> 
> iptables -t nat -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN \
> 	-m tcpmss --mss 1453: -j TCPMSS --set-mss 1452
> 
> However, quite recently I discovered
> that first TCP SYN packet's MSS is altered
> and latter SYN packets (in case of retransmission)
> have MSS unchanged (1460 - ether).

Yes. This is by definition of the nat table.

The nat table is consulted to set up the NAT mappings of NEW sessions
only. It is not a packet mangler.. To process all (selected) packets you
should use the mangle or filter tables.

If you need to remember something related to a specific session between
packets then see the CONNMARK patch in pom-ng.

Regards
Henrik

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: only first TCP SYN packet consulted in nat table chains - bug or feature?
  2004-06-22 13:19 ` Henrik Nordstrom
@ 2004-06-22 13:33   ` Eric Leblond
  2004-06-22 13:43     ` Jozsef Kadlecsik
  2004-06-22 15:26     ` Henrik Nordstrom
  0 siblings, 2 replies; 6+ messages in thread
From: Eric Leblond @ 2004-06-22 13:33 UTC (permalink / raw)
  To: netfilter-devel

On Tue, 2004-06-22 at 15:19, Henrik Nordstrom wrote:
> On Mon, 21 Jun 2004, Krzysztof Rusocki wrote:
> 
> If you need to remember something related to a specific session between
> packets then see the CONNMARK patch in pom-ng.

This extension is one more time useful to someone. Does somebody know
why it has not been included into the standard kernel ?

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: only first TCP SYN packet consulted in nat table chains - bug or feature?
  2004-06-22 13:33   ` Eric Leblond
@ 2004-06-22 13:43     ` Jozsef Kadlecsik
  2004-06-22 15:26     ` Henrik Nordstrom
  1 sibling, 0 replies; 6+ messages in thread
From: Jozsef Kadlecsik @ 2004-06-22 13:43 UTC (permalink / raw)
  To: Eric Leblond; +Cc: netfilter-devel

On Tue, 22 Jun 2004, Eric Leblond wrote:

> On Tue, 2004-06-22 at 15:19, Henrik Nordstrom wrote:
> > On Mon, 21 Jun 2004, Krzysztof Rusocki wrote:
> >
> > If you need to remember something related to a specific session between
> > packets then see the CONNMARK patch in pom-ng.
>
> This extension is one more time useful to someone. Does somebody know
> why it has not been included into the standard kernel ?

It was submitted into the 2.6 series long time ago.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: only first TCP SYN packet consulted in nat table chains - bug or feature?
  2004-06-22 13:33   ` Eric Leblond
  2004-06-22 13:43     ` Jozsef Kadlecsik
@ 2004-06-22 15:26     ` Henrik Nordstrom
  1 sibling, 0 replies; 6+ messages in thread
From: Henrik Nordstrom @ 2004-06-22 15:26 UTC (permalink / raw)
  To: Eric Leblond; +Cc: netfilter-devel

On Tue, 22 Jun 2004, Eric Leblond wrote:

> This extension is one more time useful to someone. Does somebody know
> why it has not been included into the standard kernel ?

It has been proposed a number of times, but never seems to get the final 
goahead. And right now is not a good time as changes is again discussed.

Hopefully the third revision discussed a few days ago will finally make
it.. (changes in mark mask logics to express a much richer set of
operations).

Regards
Henrik

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2004-06-22 15:26 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-21 20:06 only first TCP SYN packet consulted in nat table chains - bug or feature? Krzysztof Rusocki
2004-06-21 23:39 ` Peter Surda
2004-06-22 13:19 ` Henrik Nordstrom
2004-06-22 13:33   ` Eric Leblond
2004-06-22 13:43     ` Jozsef Kadlecsik
2004-06-22 15:26     ` Henrik Nordstrom

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.