Fw: Re: 2.6.11-rc2 TCP ignores PMTU ICMP (Re: Linux 2.6.11-rc2)

Fw: Re: 2.6.11-rc2 TCP ignores PMTU ICMP (Re: Linux 2.6.11-rc2)

[David S. Miller]

Hey guys, please try to take a look at this one.

There are multiple confirmations that merely having ipt_MASQUERADE
loaded or built into the kernel causes PMTU ICMP messages to be
ignored in the current kernel.

I suspect this is more fallout from Rusty's recent conntrack/nat
stuff.  Maybe it'll result in some more nfsim testcases being
added, so perhaps not such a bad thing afterall :-)

Begin forwarded message:

Date: Thu, 27 Jan 2005 15:11:57 -0800
From: David Brownell <david-b@pacbell.net>
To: Janos Farkas <jf-ml-k1-1087813225@lk8rp.mail.xeon.eu.org>
Cc: David Ford <david+challenge-response@blue-labs.org>, linux-kernel@vger.kernel.org, netdev@oss.sgi.com, Art Haas <ahaas@airmail.net>
Subject: Re: 2.6.11-rc2 TCP ignores PMTU ICMP (Re: Linux 2.6.11-rc2)


I just got an interesting "I see these problems too" report.  It
may provide a useful clue.  According to "Art Haas" <ahaas@airmail.net>:

> I'm running the current BK kernel now, and I'm not seeing the problems
> right now because, I found, I do not have some of the IP masquerading
> modules installed on my machine. When these modules get installed then
> the cvs/rsync problems appear. 
 
I do have CONFIG_IP_NF_TARGET_MASQUERADE=y on the system where I'm
seeing this, though it's not doing anything just now.  Haven't yet
made time to see if disabling it improves things ... but if that's
a factor, it could explain why more people aren't suffering with
this problem.

- Dave

Re: Fw: Re: 2.6.11-rc2 TCP ignores PMTU ICMP (Re: Linux 2.6.11-rc2)

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 828 bytes --]

David S. Miller wrote:

>Hey guys, please try to take a look at this one.
>
>There are multiple confirmations that merely having ipt_MASQUERADE
>loaded or built into the kernel causes PMTU ICMP messages to be
>ignored in the current kernel.
>
>I suspect this is more fallout from Rusty's recent conntrack/nat
>stuff.  Maybe it'll result in some more nfsim testcases being
>added, so perhaps not such a bad thing afterall :-)
>
You were right, NAT messes up the inner packet pretty badly :)

IP (tos 0xd0, ttl  64, id 40755, offset 0, flags [none], length: 88) 
172.16.1.123 > 172.16.1.123: icmp 68: type-#142 for IP (tos 0x10, ttl 
180, id 13605, offset 0, flags [DF], length: 60, bad cksum e8b3 
(->73d8)!) 172.16.1.123 > 172.16.195.55:  ip-proto-225 40

This patch fixes it.

Signed-off-by: Patrick McHardy <kaber@trash.net>


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 488 bytes --]

===== net/ipv4/netfilter/ip_nat_proto_tcp.c 1.10 vs edited =====
--- 1.10/net/ipv4/netfilter/ip_nat_proto_tcp.c	2005-01-17 23:00:55 +01:00
+++ edited/net/ipv4/netfilter/ip_nat_proto_tcp.c	2005-01-28 02:13:06 +01:00
@@ -105,7 +105,7 @@
 		return 0;
 
 	iph = (struct iphdr *)((*pskb)->data + iphdroff);
-	hdr = (struct tcphdr *)((*pskb)->data + iph->ihl*4);
+	hdr = (struct tcphdr *)((*pskb)->data + hdroff);
 
 	if (maniptype == IP_NAT_MANIP_SRC) {
 		/* Get rid of src ip and src pt */

Re: Fw: Re: 2.6.11-rc2 TCP ignores PMTU ICMP (Re: Linux 2.6.11-rc2)

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

Patrick McHardy wrote:

> IP (tos 0xd0, ttl  64, id 40755, offset 0, flags [none], length: 88) 
> 172.16.1.123 > 172.16.1.123: icmp 68: type-#142 for IP (tos 0x10, ttl 
> 180, id 13605, offset 0, flags [DF], length: 60, bad cksum e8b3 
> (->73d8)!) 172.16.1.123 > 172.16.195.55:  ip-proto-225 40
>
> This patch fixes it.

This patch on top fixes corrupt checksums of ICMP errors. The
function returns before recalculating the checksum in some cases.

>
> Signed-off-by: Patrick McHardy <kaber@trash.net>



[-- Attachment #2: x --]
[-- Type: text/plain, Size: 956 bytes --]

===== net/ipv4/netfilter/ip_nat_core.c 1.67 vs edited =====
--- 1.67/net/ipv4/netfilter/ip_nat_core.c	2005-01-18 21:27:23 +01:00
+++ edited/net/ipv4/netfilter/ip_nat_core.c	2005-01-28 02:48:04 +01:00
@@ -450,6 +450,13 @@
 		       !manip))
 		return 0;
 
+	/* Reloading "inside" here since manip_pkt inner. */
+	inside = (void *)(*pskb)->data + (*pskb)->nh.iph->ihl*4;
+	inside->icmp.checksum = 0;
+	inside->icmp.checksum = csum_fold(skb_checksum(*pskb, hdrlen,
+						       (*pskb)->len - hdrlen,
+						       0));
+
 	/* Change outer to look the reply to an incoming packet
 	 * (proto 0 means don't invert per-proto part). */
 
@@ -468,13 +475,6 @@
 			return 0;
 	}
 
-	/* Reloading "inside" here since manip_pkt inner. */
-	inside = (void *)(*pskb)->data + (*pskb)->nh.iph->ihl*4;
-
-	inside->icmp.checksum = 0;
-	inside->icmp.checksum = csum_fold(skb_checksum(*pskb, hdrlen,
-						       (*pskb)->len - hdrlen,
-						       0));
 	return 1;
 }
 

Re: Fw: Re: 2.6.11-rc2 TCP ignores PMTU ICMP (Re: Linux 2.6.11-rc2)

[David S. Miller]

On Fri, 28 Jan 2005 02:56:08 +0100
Patrick McHardy <kaber@trash.net> wrote:

> Patrick McHardy wrote:
> 
> > IP (tos 0xd0, ttl  64, id 40755, offset 0, flags [none], length: 88) 
> > 172.16.1.123 > 172.16.1.123: icmp 68: type-#142 for IP (tos 0x10, ttl 
> > 180, id 13605, offset 0, flags [DF], length: 60, bad cksum e8b3 
> > (->73d8)!) 172.16.1.123 > 172.16.195.55:  ip-proto-225 40
> >
> > This patch fixes it.
> 
> This patch on top fixes corrupt checksums of ICMP errors. The
> function returns before recalculating the checksum in some cases.

Both applied, thanks Patrick.