[Bug 66] INPUT REJECT target needs state creation in OUTPUT

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Thu, 20 Mar 2003 11:24:22 +0100


https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=66





------- Additional Comments From netfilterbug@shemesh.biz  2003-03-20 11:24 -------
My appologies. It was so clear to me that this was a logic error that I didn't
think it would matter.

I am using a distribution kernel, so I'm not sure what patches are installed (if
any that affect the IPTables code). The kernel is a Debian woody kernel
2.4.18-686 revision 2.4.18-5.

What I believed is the cause of this problem (without looking at the code), was
that a SYN packet creates a connection, and that the Reset passes the OUTPUT on
that state (via the -m state -state ESTABLISHED rule). A packet with no flags at
all did not create the connection, and therefor did not pass the OUTPUT chain.

Checking the counters, however, reveals this theory to be false. The reject sent
for TCP SYN packets does not modify any counters, while the reject sent for TCP
no-flags packet requires an output rule allowing a reset.





------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.