On Thu, May 02, 2002 at 12:29:25PM -0400, William Stearns wrote: > Good day, Brian, all, > (Many thanks to George Bakos, one of my fellow researchers, for > clarifying the following material about unreachables.)
Indeed! I had some recollection that there was a minumum amount of the enclosed packet to be sent back but I thought it was a MAY not a MUST. > According to the RFC's (rfc 792 and 1122, at > http://www.rfc-editor.org/rfc/rfc792.txt and > http://www.rfc-editor.org/rfc/rfc1122.txt ) for unreachables, the router > creating the unreachable message _must_ include at least the IP header and > at least 8 bytes (a stack can return more if it chooses, rfc1122 clarified > this) of the next header after IP. Right. > In the case of straightforward tcp or > udp packets, 8 bytes is enough for the unreachable message to guarantee > that the port information comes back in the unreachable message. The only > case we can think of where the port information might get bumped out of an > unreachable is if there's an ipsec authentication header between the IP > header and the tcp header. Agreed. > Is there any chance you're using an older kernel? I seem to > remember there were some fixes to the logging of unreachables, but I can't > remember when. Nope. > One approach might be to capture one of these packets with > tcpdump, decode it, and see if it does include port info. I was doing that when I read the second paragraph above. :-) The problem is actually that the host sending back the ICMP port unreachable is mangling (pretty badly) the encapsulated packet. In particular, what is barfing iptables is that it is altering the fragment offset bits from 0x0 to 0x40. It also mangles the packet length and the flags. ~sigh~ Looks like it's some kind of a CacheFlow device. Why there are DNS records pointing to it as a nameserver, I dunno. b. -- Brian J. Murrell
msg00888/pgp00000.pgp
Description: PGP signature
