| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Apr 2007 09:45:41 +0200 From: Michael Guntsche <mike@...loops.com> To: linux-kernel@...r.kernel.org Subject: Marked based routing and redirecting problems with kernel v2.6 Hello list, I recently switched one of my older gateways from 2.4 to 2.6. I had a transparent proxy set-up as explained here http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss6.2 I know that transparent proxying is generally being frowned on but in this special case I have to use it. This setup worked fine with the v2.4 kernel on my gateway. After switching to 2.6 it seems that the packets are no longer routed to my squid box correctly. I see the first sync from the client and get the reply sync from the squid box, but the ACK my client sends back never reaches the squid box. So the squid box is sending out SYNC requests again and after a very long time it sometimes "sees" the ACK from the client. This is an example of a successful connection with the 2.4 kernel running on the gateway. Gateway/Router: 09:31:11.718565 IP trillian.comsick.at.49282 > www.heise.de.www: S 1286769610:1286769610(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 988726717 0,sackOK,eol> 09:31:11.718836 IP trillian.comsick.at.49282 > www.heise.de.www: S 1286769610:1286769610(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 988726717 0,sackOK,eol> 09:31:11.719632 IP trillian.comsick.at.49282 > www.heise.de.www: . ack 598485927 win 65535 <nop,nop,timestamp 988726717 10262916> 09:31:11.719725 IP trillian.comsick.at.49282 > www.heise.de.www: . ack 1 win 65535 <nop,nop,timestamp 988726717 10262916> Squid Box: 09:31:10.795018 IP trillian.comsick.at.49282 > www.heise.de.www: S 1286769610:1286769610(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 988726717 0,sackOK,eol> 09:31:10.797621 IP www.heise.de.www > trillian.comsick.at.49282: S 598485926:598485926(0) ack 1286769611 win 5792 <mss 1460,sackOK,timestamp 10262916 988726717,nop,wscale 2> 09:31:10.795831 IP trillian.comsick.at.49282 > www.heise.de.www: . ack 1 win 65535 <nop,nop,timestamp 988726717 10262916> Not working with V2.6 with no changes in the setup Gateway/Router: 09:39:33.798241 IP trillian.comsick.at.49303 > www.heise.de.www: S 1751958343:1751958343(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 988727720 0,sackOK,eol> 09:39:33.807231 IP trillian.comsick.at.49303 > www.heise.de.www: S 1751958343:1751958343(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 988727720 0,sackOK,eol> 09:39:33.798996 IP trillian.comsick.at.49303 > www.heise.de.www: . ack 1144270693 win 65535 <nop,nop,timestamp 988727720 10388336> Squid Box: 09:39:32.480764 IP trillian.comsick.at.49303 > www.heise.de.www: S 1751958343:1751958343(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 988727720 0,sackOK,eol> 09:39:32.482965 IP www.heise.de.www > trillian.comsick.at.49303: S 1144270692:1144270692(0) ack 1751958344 win 5792 <mss 1460,sackOK,timestamp 10388336 988727720,nop,wscale 2> ... retries ... As you can see the ACK never reaches the SQUID box. Am I missing something or has the handling of this special packet mangling changed in v2.6? This has been tested with 2.6.19 and 2.6.20.6 Please put me on CC for any reply since I am not subscribed to the list. Kind regards, Michael - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists