Handling bad tcp checksums

Grant Taylor gtaylor at riverviewtech.net
Fri Aug 12 07:09:37 CEST 2005

Robert Nichols wrote:
> I've run into a problem handling tcp packets that have incorrect
> checksums.  It appears that such packets are assigned state INVALID,
> and thus are never treated as part of an ESTABLISHED connection.
> Thus, dropping such packets becomes the responsibility of the firewall. 
>  The problem is that unsolicited SYN,ACK packets are also matching
> "--state INVALID", and for these the proper action is to send tcp-reset. 
>  I cannot risk sending tcp-reset for an incorrect checksum -- the result
> would be that a transmission error would cause the connection to drop.
> If I test "--flags SYN,ACK SYN,ACK" then I run the risk of basing my
> decision on the flags in a possibly corrupted packet.
> Iptables doesn't seem to have any way to match on incorrect checksums.
> It looks like the best I can do is check the flags and accept the
> possibility that they are corrupted.
> Suggestions?

If we presume that you are correctly DROPing traffic that is in an INVALID state when the checksum is invalid and you are just wanting to send a reset to an invalid connection with the SYN and ACK flags set you could do something like the following:

... -m state --state INVALID --flags SYN,ACK SYN,ACK ... -j MyResetTarget
... -m state --state INVALID ... -j DROP

Grant. . . .

> BTW, doesn't this mean that _all_ iptables matches are testing data
> that is possibly corrupted?

More information about the netfilter mailing list