REJECT using invalid data

Pablo Neira pablo at eurodev.net
Tue Dec 7 12:07:15 CET 2004


Simon Kirby wrote:

>After some recent interesting network issues involving an onboard Tigon3
>card with faulty buffer memory, we discovered that netfilter has some
>issues with handling corrupted packets.  This took quite some time to
>diagnose, I might add. :)
>
>It appears that a packet with a bad TCP checksum will be disregarded by
>the state tracking code (and apparently shows up as "INVALID").  Fine.
>
>However, the same packet will then likely continue traversing rules until
>it hits some kind of REJECT rule.
>

not really, my ruleset drops it, actually another rule here is 
previously logging it.

-A INPUT -m state --state INVALID -j DROP

>  REJECT can be set to reject with a
>tcp-reset or some ICMP response at this point.  If so, it will actually
>use the possibly-incorrect information from the bad TCP packet and send a
>rejection packet.  As far as I can tell, this is a bug.
>  
>

yes, that's a bug, but in your ruleset, people should log/drop/let 
continue invalid packets, but not reject them. So I don't see the point 
of sending a patch. Maybe you could send a patch to clarify this in the 
man page.

--
Pablo



More information about the netfilter-devel mailing list