1

When Don't Fragment flag is set, IPv4 RFC allows set Identification filed to 0x0000.

I got a peer which is behind firewall that brakes RFC and block any IPv4 packets with such 0x0000 ID field. My "modern" 4.4.0 linux kernel generates packets with ID 0x0000 thus I can't create TCP connection.

How can I disallow generating this 0x0000 ID or how to manipulate this field with iptables mangle or any another way?

luzik
  • 113
  • 4
  • This is a really interesting question! I'm voting to move this question to [unix.se] since it's more about the innards of Linux networking than about systems administration. There are some people at that site with deep and thorough knowledge of Linux networking, so I think someone will be able to give you a good answer. – Jenny D Aug 22 '18 at 12:55
  • 1
    It is your peer who should be fixing their firewall. It is certainly breaking other connections they might desire, and it's utterly unreasonable for them to expect _everyone_ to adapt to _their_ brokenness. – Michael Hampton Aug 22 '18 at 13:04
  • luzik, could you tell what version of the linux kernel *always* sends id 0 ? I only get id 0 for tcp's first syn ack (from server side) at connection establishment. – A.B Aug 22 '18 at 20:29
  • [ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.9.127&id=e801b695c3e749ab02ff06274ec1cd06369342ca) maybe more issues to be expected in the future with your broken peer and newer linux kernels (if you don't stay on 4.4) – A.B Sep 15 '18 at 12:34

1 Answers1

1

You are probably refering to RFC 6864.

On a 4.17.x Linux I could see id = 0 only appear reliably for the SYN+ACK packet of a server answering a received connection, but not after.

UPDATE: OP confirmed that was the usual case in the Question too (with a 4.4.x kernel).

Probable minimal requirement: nftables v0.6 . notrack is not needed, conntrack entries don't care about this id.

For what it's worth, here's a nftables rule to alter the id value to the value 0xbeef when [DF] is set and id == 0. I don't think iptables is able to do this at all.

nft add table raw
nft 'add chain raw output {type filter hook output priority -300;}'
nft 'add rule raw output ip frag-off & 0x4000 != 0 ip id == 0 ip id set 0xbeef'

0x4000 here means the DF flag.

Community
  • 1
A.B
  • 11,090
  • 2
  • 24
  • 45
  • 1
    Setting the Id to 0 has always been permitted. Citing RFC 791: **However, since the Identifier field allows 65,536 different values** – kasperd Aug 22 '18 at 22:08
  • rereading between lines ok it's for the [DF] case only, because without DF, the packet may be fragmented later and then id would be needed. – A.B Aug 23 '18 at 05:47
  • I didn't wrote that, but your right, this is true only for SYN+ACK. My Kernel is 4.4.0. Thank you for this nft rule ! – luzik Aug 23 '18 at 10:11
  • Some nft mangle features are only available after 4.10 but I think this one is ok (because it doesn't rewrite tcp, only ip) – A.B Aug 23 '18 at 10:34
  • ugh.. `Error: syntax error, unexpected set` I will upgrade distro – luzik Aug 23 '18 at 10:39
  • If you manage to upgrade only nftables, that should be enough with the same kernel. – A.B Aug 23 '18 at 11:26