tcp match silently drops packets
Henrik Nordstrom
hno at marasystems.com
Sun Oct 16 19:35:32 CEST 2005
On Sun, 16 Oct 2005, Yasuyuki KOZAKAI wrote:
> I cannot reproduce this situation with linux-2.4.31 and recent iptables.
> tcp_match() return 0 for such packet because it doesn't have tcp header and
> datalen is 0.
>
> if (offset == 1) {
> duprintf("Dropping evil TCP offset=1 frag.\n");
> *hotdrop = 1;
> return 0;
> } else if (offset == 0 && datalen < sizeof(struct tcphdr)) {
> /* We've been asked to examine this packet, and we
> can't. Hence, no choice but to drop. */
> duprintf("Dropping evil TCP offset=0 tinygram.\n");
> *hotdrop = 1;
> return 0;
> }
>
> Could you tell me what you mean 'match and silently drop' in detail ?
The above code forces such packets to be dropped with no visible traces to
why. (*hotdrop = 1, and also hinted by the debug message and comment)
What he ment was "the match will silently drop the packet", not that the
rule as such will match the packet..
Regards
Henrik
More information about the netfilter-devel
mailing list