How to remove TCP options when doing NAT?

How to remove TCP options when doing NAT?

[Fabrice Triboix]

Hi,

I have noticed that to handle masquerading, linux adds some TCP
options to the output packets (for a TCP stream, of course).

I would like to know if there is a way to avoid that? Or more
accurately: is it possible to tell the linux kernel to do the
masquerading without adding these TCP options?

Thank you very much for any help,

  Fabrice Triboix
-
This message is subject to Imagination Technologies' e-mail terms: http://www.imgtec.com/e-mail.htm
-

Re: How to remove TCP options when doing NAT?

[Cedric Blancher]

Le mercredi 27 juin 2007 à 10:51 +0100, Fabrice Triboix a écrit :
> I have noticed that to handle masquerading, linux adds some TCP
> options to the output packets (for a TCP stream, of course).

What kind of options ? I just looked at a NATed (by a Linux box) TCP
stream between 2 linux boxes, and I don't see any additional TCP option.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

RE: How to remove TCP options when doing NAT?

[Cedric Blancher]

Le jeudi 28 juin 2007 à 12:00 +0100, Fabrice Triboix a écrit :
> From ethereal, I can see 20 bytes of options added on each TCP packets.
> These are TCP options that are added after the standard TCP header of 20
> bytes, thus the total TCP header size is 40 bytes.
> These 20 bytes of options are (dixit ethereal):
>  - Maximum segment size: 1460 bytes (I can understand that: 1500 - 40)
>  - SACK permitted
>  - Timestamps: TSval 360225, TSecr 0
>  - NOP
>  - Window scale: 0 (multiply by 1)

What were the options that were not present _before_ the gateway ?

> Anyone knows how I can configure Linux not to do that?

I don't know of any mangling extension for TCP options, like
IPV4OPTSSTRIP for IP options.



PS: pls keep the list Cced...

-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

RE: How to remove TCP options when doing NAT?

[Fabrice Triboix]

Hi Cedric,

> What were the options that were not present _before_ the gateway ?

I have some difficulties to understand the question...
The TCP packets coming from the local network (before the gateway) do
not have extra options in their TCP headers. Their TCP headers are 20
bytes in size.


> I don't know of any mangling extension for TCP options, like
> IPV4OPTSSTRIP for IP options.

I guess it is part of the NAT mechanisms... I just would like to know
whether this is configurable or not...
I forgot to mention that I am using Linux 2.6.18, arch i686.


> PS: pls keep the list Cced...

Yes, my mistake!!


Cheers,

  Fabrice

-
This message is subject to Imagination Technologies' e-mail terms: http://www.imgtec.com/e-mail.htm
-

How to remove TCP options when doing NAT?

[Fabrice Triboix]

Hi,

I have noticed that to handle masquerading, linux adds some TCP options
to the output packets (for a TCP stream, of course).

I would like to know if there is a way to avoid that? Or more
accurately: is it possible to tell the linux kernel to do the
masquerading without adding these TCP options?

I am using Linux 2.6.18 (custom build from original sources) on an Intel
architecture.

I have tried to ask this question on netfilter@lists.netfilter.org, but
nobody was able to answer me...

Thank you very much for any help,

  Fabrice Triboix
-
This message is subject to Imagination Technologies' e-mail terms: http://www.imgtec.com/e-mail.htm
-