List Info

Thread:




user name
 2006-01-13 05:24:54 

  


  

    Hi!

   After install openswan, I found my transprent ftp proxy can't work any more.

   With openswan's default configuration, my route table looks like this:



Kernel IP routing table

Destination    
Gateway        
Genmask        ; Flags Metric
Ref  ;  Use Iface

MailScanner has detected a possible fraud attempt from "192.168.100.0" claiming to be MailScanner has detected a possible fraud attempt from "192.168.100.0" claiming to be MailScanner warning: numerical links are often malicious: 192.168.100.0  
MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 0.0.0.0      ;  
MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.255.0   U    
0 ;    
0   ;     0 eth1

MailScanner has detected a possible fraud attempt from "192.168.100.0" claiming to be MailScanner has detected a possible fraud attempt from "192.168.100.0" claiming to be MailScanner warning: numerical links are often malicious: 192.168.100.0  
MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 0.0.0.0      ;  
MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.255.0   U    
0 ;    
0   ;     0 ipsec0

MailScanner has detected a possible fraud attempt from "192.168.2.0" claiming to be MailScanner has detected a possible fraud attempt from "192.168.2.0" claiming to be MailScanner warning: numerical links are often malicious: 192.168.2.0    
MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 0.0.0.0      ;  
MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.255.0   U    
0 ;    
0   ;     0 eth0

MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 0.0.0.0      ;  
MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be MailScanner warning: numerical links are often malicious: 192.168.100.1   MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 128.0.0.0  ;    
UG ;   0     
0        0 ipsec0

MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 128.0.0.0  ;     MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be MailScanner warning: numerical links are often malicious: 192.168.100.1  
MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 128.0.0.0  ;     UG   
0     
0  ;      0 ipsec0

MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 0.0.0.0      ;  
MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be MailScanner warning: numerical links are often malicious: 192.168.100.1  
MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 0.0.0.0      ;  
UG   ; 0     
0        0 eth1



So the packet out from my linux server will first go out from ipsec0 device, and finally

go out from eth1 device. There is no any encrypt tunnel indeed, so the same skb will

go through ip_nat_seq_adjust function twice. When somet helper like ip_nat_ftp need

change the seq of some packet, the seq will be changed twice, then the packet will be send

out with the incorrect seq.



The following patch will fix this, How do you think about this?

Thanks


diff -pru linux-2.6.14-orig/include/linux/skbuff.h linux-2.6.14/include/linux/skbuff.h
--- linux-2.6.14-orig/include/linux/skbuff.h	2006-01-12 13:36:28.000000000 +0800
+++ linux-2.6.14/include/linux/skbuff.h	2006-01-13 12:32:
23.000000000 +0800
 -261,7 +261,8  struct sk_buff {
 				nohdr:1,
 				nfctinfo:3;
 	__u8			pkt_type:3,
-				fclone:2;
+				fclone:2,
+				seq_changed:1;
 	__be16			protocol;
 
 	void			(*destructor)(struct sk_buff *skb);

diff -pru linux-2.6.14-orig/net/ipv4/netfilter/ip_nat_helper.c linux-2.6.14/net/ipv4/netfilter/ip_nat_helper.c
--- linux-2.6.14-orig/net/ipv4/netfilter/ip_nat_helper.c	2005-10-28 08:02:08.000000000 +0800
+++ linux-2.6.14
/net/ipv4/netfilter/ip_nat_helper.c	2006-01-13 12:39:17.000000000 +0800
 -365,6 +365,9  ip_nat_seq_adjust(struct sk_buff **pskb,
 	this_way = &ct->nat.info.seq[dir];
 	other_way = &ct->nat.info.seq
[!dir];
 
+	if((*pskb)->seq_changed)
+		return 1;
+
 	if (!skb_make_writable(pskb, (*pskb)->nh.iph->ihl*4+sizeof(*tcph)))
 		return 0;
 
 -398,6 +401,7  ip_nat_seq_adjust(struct sk_buff **pskb,

 		return 0;
 
 	ip_conntrack_tcp_update(*pskb, ct, dir);
+	(*pskb)->seq_changed=1;
 
 	return 1;

 }




  

  
  
   
     
    

  

    
  


  

     user name

     2006-01-14 05:48:55
  


  

    
On Fri, 13 Jan 2006, lepton wrote:

> The following patch will fix this, How do you think
about this?
> Thanks
>
> diff -pru linux-2.6.14-orig/include/linux/skbuff.h

I believe 2.6.15 just got Patrick's patches integrated from
patch-o-matic
that accomplish the same.

Paul
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev


  


  

    
  

  
  
   
     
    






 [1-2]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )