RE: Cursed Checksums

From: Albert Cahalan
Date: Sun Aug 22 2004 - 17:49:55 EST

Next message: Jeff Garzik: "Trivial IPv6-for-Fedora HOWTO"
Previous message: John Levon: "Re: [PATCH] improve OProfile on many-way systems"
In reply to: Josan Kadett: "RE: Cursed Checksums"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2004-08-22 at 18:38, Josan Kadett wrote:
> In normal conditions, when NAT translates an IP header, it should do correct
> checksumming. However; when the source IP address of a packet is
> manipulated, Iptables still seems to use the "original" IP address and
> calculate the checksum accordingly. This way even if I use 3 three boxes;
>
> Original Packet --> NAT 1 --> NAT 2 --> NAT3 --> Still incorrect checksum

Sure. That's why I think this is a job for ebtables.
Note: EBtables, not IPtables. This is lower level,
dealing with raw Ethernet packets. It should be able
to mangle anything in the packet.

Just as iptables lets you change any 32-bit value in
an IP packet, ebtables should let you change any 32-bit
value in an Ethernet packet. Unlike iptables, it could
operate prior to the IP checksum verification.

Sadly, it looks like u32 mangle rules are missing.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Trivial IPv6-for-Fedora HOWTO"
Previous message: John Levon: "Re: [PATCH] improve OProfile on many-way systems"
In reply to: Josan Kadett: "RE: Cursed Checksums"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]