Packet Lost

Packet Lost

[Vasantha Kumar Puttappa]

Hi,

  I am working on a small application using iptables/libipq. In this, the
application would capture a specific packets based on the destination IP
address. Then I encapsulate this IP packet inside another new IP packet.

My problem is that the encapsulation part works fine in
kernel-2.6.11-6(mandriva 2005) and IPtables V 1.2.9.
(I can capture encapsulated packets using tcpdump at the sender side i.e,
packets are being put on to the network)


But this doesn't work in kernel-2.6.12-12 and IPtables-1.3.5
(even though there are no erros after callig ipq_set_verdict, the packets
are not being put on to the channel. The packets are getting lost after
the call to ipq_set_verdict)

please let me know if you need more information


Please help me out here

Thanx

Re: Packet Lost

[Patrick McHardy]

Vasantha Kumar Puttappa wrote:
> Hi,
> 
>   I am working on a small application using iptables/libipq. In this, the
> application would capture a specific packets based on the destination IP
> address. Then I encapsulate this IP packet inside another new IP packet.
> 
> My problem is that the encapsulation part works fine in
> kernel-2.6.11-6(mandriva 2005) and IPtables V 1.2.9.
> (I can capture encapsulated packets using tcpdump at the sender side i.e,
> packets are being put on to the network)
> 
> 
> But this doesn't work in kernel-2.6.12-12 and IPtables-1.3.5
> (even though there are no erros after callig ipq_set_verdict, the packets
> are not being put on to the channel. The packets are getting lost after
> the call to ipq_set_verdict)
> 
> please let me know if you need more information

IIRC some old versions accidentally fixed up broken checksums
they received from userspace and this is not done anymore.
Do your packets have correct checksums when sent from userspace
to the kernel?

Re: Packet Lost

[Vasantha Kumar Puttappa]

> Vasantha Kumar Puttappa wrote:
>> Hi,
>>
>>   I am working on a small application using iptables/libipq. In this,
>> the
>> application would capture a specific packets based on the destination IP
>> address. Then I encapsulate this IP packet inside another new IP packet.
>>
>> My problem is that the encapsulation part works fine in
>> kernel-2.6.11-6(mandriva 2005) and IPtables V 1.2.9.
>> (I can capture encapsulated packets using tcpdump at the sender side
>> i.e,
>> packets are being put on to the network)
>>
>>
>> But this doesn't work in kernel-2.6.12-12 and IPtables-1.3.5
>> (even though there are no erros after callig ipq_set_verdict, the
>> packets
>> are not being put on to the channel. The packets are getting lost after
>> the call to ipq_set_verdict)
>>
>> please let me know if you need more information
>
> IIRC some old versions accidentally fixed up broken checksums
> they received from userspace and this is not done anymore.
> Do your packets have correct checksums when sent from userspace
> to the kernel?
>
>


ya my checksum calculation is correct. If my checksum is wrong, it would
have been detected by tcpdump or ethereal(in 2.6.11-6).

Any suggestions ?

Re: Packet Lost

[Patrick McHardy]

Vasantha Kumar Puttappa wrote:
>>IIRC some old versions accidentally fixed up broken checksums
>>they received from userspace and this is not done anymore.
>>Do your packets have correct checksums when sent from userspace
>>to the kernel?
>>
> 
> ya my checksum calculation is correct. If my checksum is wrong, it would
> have been detected by tcpdump or ethereal(in 2.6.11-6).

No it wouldn't have been, thats what I'm saying. Old ipq versions
silently fixed broken checksums. Depending on the hook you're queueing
packets at they might get dropped locally if the checksum is corrupt.

Re: Packet Lost

[Vasantha Kumar Puttappa]

Hi,
 Actually I did verified my calculated checksum value with the checksum
value present in the actual transmitted packet(using ethereal,
kernel-2.6.11-6), and the values are same.

 Here is my checksum code, please let me if something is wrong.

**********************

// To calculate the new check sum
unsigned short ip_sum_calc(unsigned short *addr,int len)
{


  int nleft = len;
  int sum = 0;
  unsigned short *w = addr;
  unsigned short answer = 0;

  while (nleft > 1)
    {
      sum += *w++;
      nleft -= 2;
    }


  if (nleft == 1)
    {
      *(unsigned char *)(&answer) = *(unsigned char *) w;
      sum += answer;
    }
  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;

  return answer;

}

***********************




> Vasantha Kumar Puttappa wrote:
>>>IIRC some old versions accidentally fixed up broken checksums
>>>they received from userspace and this is not done anymore.
>>>Do your packets have correct checksums when sent from userspace
>>>to the kernel?
>>>
>>
>> ya my checksum calculation is correct. If my checksum is wrong, it would
>> have been detected by tcpdump or ethereal(in 2.6.11-6).
>
> No it wouldn't have been, thats what I'm saying. Old ipq versions
> silently fixed broken checksums. Depending on the hook you're queueing
> packets at they might get dropped locally if the checksum is corrupt.
>

Re: Packet Lost

[Patrick McHardy]

Vasantha Kumar Puttappa wrote:
> Hi,
>  Actually I did verified my calculated checksum value with the checksum
> value present in the actual transmitted packet(using ethereal,
> kernel-2.6.11-6), and the values are same.

OK. Then please describe what you're doing in more detail (at what hook
are you queueing, what are you doing to the packet, what is the last
spot you can see the packet, ...). Try to add some LOG rules to see
if the packet really is dropped by ip_queue or later in the stack.

TCP connection and interface down

[Vasantha Kumar Puttappa]

Hi,
  Suppose I have an active tcp connection(web browser) bounded to an
interface X. Whenever this interface goes down, this will be notified by
the kernel stack to the transport layer and the tcp application will
stop sending packets till interface becomes active.

 My questions is that , is it possible to allow tcp applications to keep
on sending packets even after interface goes down. So, that I can catch
packets using IPtables and do whatever manipulation I would like to do.
Also I have another interface to send these manipulated packets.

 Guide me,

 Thanx in advance.