REJECT using invalid data

Simon Kirby sim at
Tue Dec 7 18:28:23 CET 2004

On Tue, Dec 07, 2004 at 12:07:15PM +0100, Pablo Neira wrote:

> not really, my ruleset drops it, actually another rule here is 
> previously logging it.
> -A INPUT -m state --state INVALID -j DROP

That's all fine and dandy, except that we can't use state tracking in our
configuration because of asymmetric routing (which is required due to
BGP).  This is fairly common, and not an incorrect setup.

> > REJECT can be set to reject with a
> >tcp-reset or some ICMP response at this point.  If so, it will actually
> >use the possibly-incorrect information from the bad TCP packet and send a
> >rejection packet.  As far as I can tell, this is a bug.
> yes, that's a bug, but in your ruleset, people should log/drop/let 

No!  It is not a bug in our ruleset, it is a bug in REJECT.

It is incorrect to reply to packet layers that have bad checksums.
REJECT in this case must DROP, because anything else would be broken.


More information about the netfilter-devel mailing list