mangle MSS via tcp_manip_pkt() in ip_nat_proto_tcp.c [patch]

mangle MSS via tcp_manip_pkt() in ip_nat_proto_tcp.c [patch]

[Michael Glaum]

I just patched ip_nat_proto_tcp.c, below, for a specific application and
are looking for criticism.

We have 2.4.18-3 box whose route onto the internet is via satellite. There
is a cisco box in this route that inelegantly blocks packets larger than
1470. I don't have control over this route.

This 2.4.18-3 box is running iptables in masquerade mode. The private
network machines behind it are windohs boxes. I can't control the MTU
on these boxes so when they surf to www.freebsd.org they hang due to
the 1470 problem above.

I tried several things, e.g. pathMTU, etc but in view of severe time
constraints I decided to HACK tcp_manip_pkt() in ip_nat_proto_tcp.c
so that when it does source and destination address translation it also
drops the MSS on outgoing and incoming packets to be below 1360. This
appears to work. I didn't even bother to check if the packets had
tcphdr->syn ==1 set.

Please advise if there is a more elegant way to do this!

								Michael Glaum
								KVH Industries


cd /usr/src/linux/net/ipv4/netfilter
diff -u ip_nat_proto_tcp.old ip_nat_proto_tcp.c
--- ip_nat_proto_tcp.old	Tue Aug  7 11:30:50 2001
+++ ip_nat_proto_tcp.c	Fri Jul 18 03:57:56 2003
@@ -9,6 +9,8 @@
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #include <linux/netfilter_ipv4/ip_nat_protocol.h>
 
+#include <net/tcp.h>
+
 static int
 tcp_in_range(const struct ip_conntrack_tuple *tuple,
 	     enum ip_nat_manip_type maniptype,
@@ -74,6 +76,56 @@
 	return 0;
 }
 
+static u_int16_t
+cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
+{
+u_int32_t diffs[] = { oldvalinv, newval };
+
+	return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
+                         oldcheck^0xFFFF));
+}
+
+static u_int8_t * locate_mss( struct tcphdr * tcp ) {
+u_int8_t *opt;
+int	   i;
+
+    opt = (u_int8_t *)tcp;
+    for (i = sizeof(struct tcphdr); i < tcp->doff * 4; ) {
+        if ((opt[i] == TCPOPT_MSS)
+            && ((tcp->doff * 4 - i) >= TCPOLEN_MSS)
+            && (opt[i+1] == TCPOLEN_MSS)) {
+                return &opt[i+2];
+        } /* if opt==TCPOPT_MSS */
+
+        if (opt[i] < 2) {
+            i++;
+        } else {
+            i += opt[i+1]?:1;
+        }
+    } /* for */
+
+    return NULL;
+} /* locate_mss() */
+
+static void mangle_mss( struct tcphdr * tcp ) {
+u_int8_t * pmss;
+u_int16_t oldmss;
+u_int16_t newmss;
+
+	pmss = locate_mss( tcp );
+	if( pmss == NULL ) {
+		return;
+	}
+	oldmss=  (pmss[0] << 8 ) | pmss[1];
+	if( oldmss > 1360 ) {
+		newmss = 1360;
+		pmss[0] = 5;
+		pmss[1] = 0x50;
+		tcp->check = cheat_check( htons(oldmss)^0xffff,
+				htons(newmss), tcp->check );
+	}
+} /* mangle_mss() */
+
 static void
 tcp_manip_pkt(struct iphdr *iph, size_t len,
 	      const struct ip_conntrack_manip *manip,
@@ -101,6 +153,7 @@
 					ip_nat_cheat_check(*portptr ^ 0xFFFF,
 							   manip->u.tcp.port,
 							   hdr->check));
+		mangle_mss( hdr );
 	}
 
 	*portptr = manip->u.tcp.port;

Re: mangle MSS via tcp_manip_pkt() in ip_nat_proto_tcp.c [patch]

[Filip Sneppe]

On Fri, 2003-07-18 at 16:57, Michael Glaum wrote:
[...] 
> I tried several things, e.g. pathMTU, etc but in view of severe time
> constraints I decided to HACK tcp_manip_pkt() in ip_nat_proto_tcp.c
> so that when it does source and destination address translation it also
> drops the MSS on outgoing and incoming packets to be below 1360. This
> appears to work. I didn't even bother to check if the packets had
> tcphdr->syn ==1 set.
> 
> Please advise if there is a more elegant way to do this!

Hi Michael,

The easiest way to achieve your goal is to use the TCPMSS target
(that exists in the standard kernel for a long time now) to set
the MSS of the packets going out via the satellite link.

Regards,
Filip

Re: mangle MSS via tcp_manip_pkt() in ip_nat_proto_tcp.c [patch]

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 991 bytes --]

On Fri, Jul 18, 2003 at 10:57:05AM -0400, Michael Glaum wrote:

> I tried several things, e.g. pathMTU, etc but in view of severe time
> constraints I decided to HACK tcp_manip_pkt() in ip_nat_proto_tcp.c
> so that when it does source and destination address translation it also
> drops the MSS on outgoing and incoming packets to be below 1360. This
> appears to work. I didn't even bother to check if the packets had
> tcphdr->syn ==1 set.
> 
> Please advise if there is a more elegant way to do this!

Use the TCPMSS target  (iptables -j TCPMSS -h).

> 								Michael Glaum
> 								KVH Industries

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]