[Openswan dev] [PATCH]fix adjust seq twice for packet out from ipsec* device

lepton ytht.net at gmail.com
Fri Jan 13 13:24:54 CET 2006 

Hi!
   After install openswan, I found my transprent ftp proxy can't work any
more.
   With openswan's default configuration, my route table looks like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0
ipsec0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.100.1   128.0.0.0       UG    0      0        0
ipsec0
128.0.0.0       192.168.100.1   128.0.0.0       UG    0      0        0
ipsec0
0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 eth1

So the packet out from my linux server will first go out from ipsec0 device,
and finally
go out from eth1 device. There is no any encrypt tunnel indeed, so the same
skb will
go through ip_nat_seq_adjust function twice. When somet helper like
ip_nat_ftp need
change the seq of some packet, the seq will be changed twice, then the
packet will be send
out with the incorrect seq.

The following patch will fix this, How do you think about this?
Thanks

diff -pru linux-2.6.14-orig/include/linux/skbuff.h
linux-2.6.14/include/linux/skbuff.h
--- linux-2.6.14-orig/include/linux/skbuff.h	2006-01-12 13:36:28.000000000 +0800
+++ linux-2.6.14/include/linux/skbuff.h	2006-01-13 12:32:23.000000000 +0800
@@ -261,7 +261,8 @@ struct sk_buff {
 				nohdr:1,
 				nfctinfo:3;
 	__u8			pkt_type:3,
-				fclone:2;
+				fclone:2,
+				seq_changed:1;
 	__be16			protocol;

 	void			(*destructor)(struct sk_buff *skb);
diff -pru linux-2.6.14-orig/net/ipv4/netfilter/ip_nat_helper.c
linux-2.6.14/net/ipv4/netfilter/ip_nat_helper.c
--- linux-2.6.14-orig/net/ipv4/netfilter/ip_nat_helper.c	2005-10-28
08:02:08.000000000 +0800
+++ linux-2.6.14/net/ipv4/netfilter/ip_nat_helper.c	2006-01-13
12:39:17.000000000 +0800
@@ -365,6 +365,9 @@ ip_nat_seq_adjust(struct sk_buff **pskb,
 	this_way = &ct->nat.info.seq[dir];
 	other_way = &ct->nat.info.seq[!dir];

+	if((*pskb)->seq_changed)
+		return 1;
+
 	if (!skb_make_writable(pskb, (*pskb)->nh.iph->ihl*4+sizeof(*tcph)))
 		return 0;

@@ -398,6 +401,7 @@ ip_nat_seq_adjust(struct sk_buff **pskb,
 		return 0;

 	ip_conntrack_tcp_update(*pskb, ct, dir);
+	(*pskb)->seq_changed=1;

 	return 1;

 }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20060113/fea2da66/attachment.htm

More information about the Dev mailing list