REJECT using invalid data
Pablo Neira
pablo at eurodev.net
Tue Dec 7 12:07:15 CET 2004
Simon Kirby wrote:
>After some recent interesting network issues involving an onboard Tigon3
>card with faulty buffer memory, we discovered that netfilter has some
>issues with handling corrupted packets. This took quite some time to
>diagnose, I might add. :)
>
>It appears that a packet with a bad TCP checksum will be disregarded by
>the state tracking code (and apparently shows up as "INVALID"). Fine.
>
>However, the same packet will then likely continue traversing rules until
>it hits some kind of REJECT rule.
>
not really, my ruleset drops it, actually another rule here is
previously logging it.
-A INPUT -m state --state INVALID -j DROP
> REJECT can be set to reject with a
>tcp-reset or some ICMP response at this point. If so, it will actually
>use the possibly-incorrect information from the bad TCP packet and send a
>rejection packet. As far as I can tell, this is a bug.
>
>
yes, that's a bug, but in your ruleset, people should log/drop/let
continue invalid packets, but not reject them. So I don't see the point
of sending a patch. Maybe you could send a patch to clarify this in the
man page.
--
Pablo
More information about the netfilter-devel
mailing list