Hi!<br>
After install openswan, I found my transprent ftp proxy can't work any more.<br>
With openswan's default configuration, my route table looks like this:<br>
<br>
Kernel IP routing table<br>
Destination
Gateway
Genmask Flags Metric
Ref Use Iface<br>
<a href="http://192.168.100.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.100.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.100.0</a>
<a href="http://0.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0</a>
<a href="http://255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.0</a> U
0
0 0 eth1<br>
<a href="http://192.168.100.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.100.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.100.0</a>
<a href="http://0.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0</a>
<a href="http://255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.0</a> U
0
0 0 ipsec0<br>
<a href="http://192.168.2.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.2.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.2.0</a>
<a href="http://0.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0</a>
<a href="http://255.255.255.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 255.255.255.0</a> U
0
0 0 eth0<br>
<a href="http://0.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0</a>
<a href="http://192.168.100.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.100.1</a> <a href="http://128.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 128.0.0.0</a>
UG 0
0 0 ipsec0<br>
<a href="http://128.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 128.0.0.0</a> <a href="http://192.168.100.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.100.1</a>
<a href="http://128.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "128.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 128.0.0.0</a> UG
0
0 0 ipsec0<br>
<a href="http://0.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0</a>
<a href="http://192.168.100.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.100.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.100.1</a>
<a href="http://0.0.0.0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0</a>
UG 0
0 0 eth1<br>
<br>
So the packet out from my linux server will first go out from ipsec0 device, and finally<br>
go out from eth1 device. There is no any encrypt tunnel indeed, so the same skb will<br>
go through ip_nat_seq_adjust function twice. When somet helper like ip_nat_ftp need<br>
change the seq of some packet, the seq will be changed twice, then the packet will be send<br>
out with the incorrect seq.<br>
<br>
The following patch will fix this, How do you think about this?<br>
Thanks<br>
<pre>diff -pru linux-2.6.14-orig/include/linux/skbuff.h linux-2.6.14/include/linux/skbuff.h<br>--- linux-2.6.14-orig/include/linux/skbuff.h 2006-01-12 13:36:28.000000000 +0800<br>+++ linux-2.6.14/include/linux/skbuff.h 2006-01-13 12:32:
23.000000000 +0800<br>@@ -261,7 +261,8 @@ struct sk_buff {<br> nohdr:1,<br> nfctinfo:3;<br> __u8 pkt_type:3,<br>- fclone:2;<br>+ fclone:2,<br>+ seq_changed:1;<br> __be16 protocol;<br> <br> void (*destructor)(struct sk_buff *skb);
<br>diff -pru linux-2.6.14-orig/net/ipv4/netfilter/ip_nat_helper.c linux-2.6.14/net/ipv4/netfilter/ip_nat_helper.c<br>--- linux-2.6.14-orig/net/ipv4/netfilter/ip_nat_helper.c 2005-10-28 08:02:08.000000000 +0800<br>+++ linux-2.6.14
/net/ipv4/netfilter/ip_nat_helper.c 2006-01-13 12:39:17.000000000 +0800<br>@@ -365,6 +365,9 @@ ip_nat_seq_adjust(struct sk_buff **pskb,<br> this_way = &ct->nat.info.seq[dir];<br> other_way = &ct->nat.info.seq
[!dir];<br> <br>+ if((*pskb)->seq_changed)<br>+ return 1;<br>+<br> if (!skb_make_writable(pskb, (*pskb)->nh.iph->ihl*4+sizeof(*tcph)))<br> return 0;<br> <br>@@ -398,6 +401,7 @@ ip_nat_seq_adjust(struct sk_buff **pskb,
<br> return 0;<br> <br> ip_conntrack_tcp_update(*pskb, ct, dir);<br>+ (*pskb)->seq_changed=1;<br> <br> return 1;<br><br> }<br></pre>
<br>