[PATCH] remove overzealous checks in REJECT target]

Patrick McHardy kaber at trash.net
Fri Dec 17 17:59:21 CET 2004

Carl-Daniel Hailfinger wrote:

>Well, the kernel for sure doesn't care if netfilter isn't loaded. My
>patch (and by consequence, Yasuyuki's patch) only tried to behave the
>same as a kernel without netfilter enabled.
>Hint: Try nmap "protocol scan" on a host without netfilter loaded. It
>will happiliy reject packets which are too short. Then enable REJECT
>for all IP protocols you don't want to support. And you'll see that
>the too short packets will suddenly stay unanswered.
You're right. I was misguided by this comment in icmp.c:

 *      RFC 1122: 3.2.2 MUST send at least the IP header and 8 bytes of 

but icmp.c doesn't enforce this like ipt_REJECT. If no header is present, it
seems we are not required to return it :)

>So we either break the standard or we don't, but breaking it only if
>netfilter is not loaded doesn't sound like a sensible default to me.
Agreed, I'm going to apply the entire patch.


More information about the netfilter-devel mailing list