help programming NAT

Good morning.
I'm writing a nat module for study purposes in linux kernel.

I do NAT, changing addresses and port in network packets (outgoing and
coming back)
Then i recalculate checksum.

i don't mangle payload (not interested in ftp).

Should i do any other adjustment? (TCP window, seq/ack) ?

I think it should be enough, since process should be transparent to hosts
behind nat machine,
the fact is that in some networks it works fine, in other networks
communication fails.

Tried changing mtu and clamp-tcpmss-to-pmtu with no effect.

Thanks-

Giacomo.

On Thu, 8 Sep 2005, Giacomo wrote:

> Good morning.
> I'm writing a nat module for study purposes in linux kernel.
>
> I do NAT, changing addresses and port in network packets (outgoing and
> coming back)
> Then i recalculate checksum.
>
> i don't mangle payload (not interested in ftp).
>
> Should i do any other adjustment? (TCP window, seq/ack) ?

No, you should not, the TCP/UDP checksum is the only thing you have to
change if you change source/destination port.

> I think it should be enough, since process should be transparent to hosts
> behind nat machine,
> the fact is that in some networks it works fine, in other networks
> communication fails.

The only think that comes in my head is that you don't handle the TCP
checksum in the right way ( Remember that TCP checksum is based on a
pseudo-header ), but if it works on some networks than the checksum
should be ok. Uhmm....

> Thanks-

I don't think my help was so useful :P

Diego.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~
Diego Billi - Email: dbilli_NO_SPAM_@cs.unibo.it
Homepage: http://www.cs.unibo.it/~dbilli
"Ecco; Io m'inquarto, io paro, io fingo, io scocco...
Giusto alla fin della licenza io tocco."

Giacomo wrote:
> Good morning.
> I'm writing a nat module for study purposes in linux kernel.
>
> I do NAT, changing addresses and port in network packets (outgoing and
> coming back)
> Then i recalculate checksum.
>
> i don't mangle payload (not interested in ftp).
>
> Should i do any other adjustment? (TCP window, seq/ack) ?
>
> I think it should be enough, since process should be transparent to hosts
> behind nat machine,
> the fact is that in some networks it works fine, in other networks
> communication fails.
>
> Tried changing mtu and clamp-tcpmss-to-pmtu with no effect.


Did you remember to change both the IP checksum and the TCP
header checksum?

Get Ethereal and have a look at the mangled packets. It
will tell you which part is not right.

--

Tauno Voipio
tauno voipio (at) iki fi

YEs i change both checksums.
tcpdump / ethereal tell checksum is always true.

they do not reveal any particular errors: sometimes a tcp segment gets lost,
but the message appears also with ISP that works, not only with the one that
does not.

Besides, tcp segment loss appears also when disabling my module and using
iptables, but in this case things work.

Surely iptables does some other things to adjust things, have you got any
ideas of where it could take place?

thanks anyway

giacomo



"Tauno Voipio" <(E-Mail Removed)> ha scritto nel messaggio
news:xRmUe.448$(E-Mail Removed)...
> Giacomo wrote:
>> Good morning.
>> I'm writing a nat module for study purposes in linux kernel.
>>
>> I do NAT, changing addresses and port in network packets (outgoing and
>> coming back)
>> Then i recalculate checksum.
>>
>> i don't mangle payload (not interested in ftp).
>>
>> Should i do any other adjustment? (TCP window, seq/ack) ?
>>
>> I think it should be enough, since process should be transparent to hosts
>> behind nat machine,
>> the fact is that in some networks it works fine, in other networks
>> communication fails.
>>
>> Tried changing mtu and clamp-tcpmss-to-pmtu with no effect.
>
>
> Did you remember to change both the IP checksum and the TCP
> header checksum?
>
> Get Ethereal and have a look at the mangled packets. It
> will tell you which part is not right.
>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi
>