iptables -t nat -A OUTPUT -j DNAT ... checksum incorrect

iptables -t nat -A OUTPUT -j DNAT ... checksum incorrect

[Giacomo]

Hi to all.

With the rule


iptables -t nat -A OUTPUT -p tcp -j DNAT -d 151.8.71.28
--to-destination 140.105.5.88:8080


I see the GET http request with checksum incorrect (on the wireshark
traffic analyzer):

Checksum: x incorrect, should be y (maybe caused by "TCP checksum offload?)

Is it normal?

Why does this happen?

Thanks

Giacomo

--

Re: iptables -t nat -A OUTPUT -j DNAT ... checksum incorrect

[Giacomo]

2009/8/6 Fabricio Archanjo <farchanjo@gmail.com>:
> Giacomo,
> You need use the PREROUTING table. I guess so.
>
> Att.

Hi, thanks for your answer.
No, this rule changes destination address/port of outgoing packets
(redirection).

Regards, Giacomo

>
> On Wed, Aug 5, 2009 at 9:53 AM, Giacomo <delleceste@gmail.com> wrote:
>>
>> Hi to all.
>>
>> With the rule
>>
>>
>> iptables -t nat -A OUTPUT -p tcp -j DNAT -d 151.8.71.28
>> --to-destination 140.105.5.88:8080
>>
>>
>> I see the GET http request with checksum incorrect (on the wireshark
>> traffic analyzer):
>>
>> Checksum: x incorrect, should be y (maybe caused by "TCP checksum
>> offload?)
>>
>> Is it normal?
>>
>> Why does this happen?
>>
>> Thanks
>>
>> Giacomo
>>
>> --
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
>> in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>



-- 
Giacomo S.
http://www.giacomos.it

- - - - - - - - - - - - - - - - - - - - - -

* Aprile 2008: iqfire-wall, un progetto
  open source che implementa un
  filtro di pacchetti di rete per Linux,
  e` disponibile per il download qui:
  http://sourceforge.net/projects/ipfire-wall

* Informazioni e pagina web ufficiale:
  http://www.giacomos.it/iqfire/index.html

- - - - - - - - - - - - - - - - - - - - - -

 . ''  `.
:   :'    :
 `.  ` '
    `- Debian GNU/Linux -- The power of freedom
        http://www.debian.org
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables -t nat -A OUTPUT -j DNAT ... checksum incorrect

[Jan Engelhardt]

On Wednesday 2009-08-05 14:53, Giacomo wrote:

>Hi to all.
>
>With the rule
>
>
>iptables -t nat -A OUTPUT -p tcp -j DNAT -d 151.8.71.28
>--to-destination 140.105.5.88:8080
>
>
>I see the GET http request with checksum incorrect (on the wireshark
>traffic analyzer):

Normally the checksum should be recalculated at the same time
the NAT transformation is applied, but I think there is also
a way where this might not happen - TSO, GSO or hardware
checksumming, or something.
If that is the case, skb->checksum should be containing an
approprivate value (CHECKSUM_NONE/CHECKSUM_UNNECESSARY/etc.)
Best is: try to printk skb->checksum. (was it skb->csum?)