From: Simon Kirby <sim@netnation.com>
To: Jonas Berlin <xkr47@outerspace.dyndns.org>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: iptables STILL incorrectly using TCP packet contents without checking header!
Date: Thu, 31 Mar 2005 16:03:40 -0800 [thread overview]
Message-ID: <20050401000340.GA2275@netnation.com> (raw)
In-Reply-To: <424C57EB.7020308@outerspace.dyndns.org>
On Thu, Mar 31, 2005 at 11:04:59PM +0300, Jonas Berlin wrote:
> What does it do if it mismatches? Match state "INVALID" ? Or not match any
> state at all?
Yes, state INVALID.
> If (and only if) the "state" match doesn't let us match the packet with
> f.ex. the INVALID state, how would we allow the user to match these packets?
> Maybe a --verify-checksum could be added to -p tcp and -p udp, which would
> maybe mostly be used inverted?
>...
> But what will be done in case REJECT notices it's not valid? Return
> IPT_CONTINUE? If that, then at least the packet & byte counters will
> possibly be misleading - aren't they incremented regardless of the return
> value of the target?
Ahh, right, the details... always in the way!
I was thinking that REJECT should DROP in any case where it is unable to
respond due to bad checksums, etc., but where the match side of the rule
did match. It would be very bad to skip the rule in this case and
incorrect, I would suspsect, to do anything else.
Others have mentioned that a "is corrupted?" match option would be useful
for this and other reasons. It is not sufficient to depend on the state
module for this feature because there are situations where using stateful
tracking is not possible (eg: BGP routers, as in my case). Maybe
something like this:
iptables -A FORWARD -m checksum ! --checksum ip -J DROP
iptables -A FORWARD -p tcp -m checksum ! --checksum tcp -J DROP
(Grr, the "-m module --module-foo" syntax is annoyingly redundant.)
As for the matching side of things, let's see... Is it ever bad to
skip a rule that with otherwise block a corrupted packet? For instance:
iptables -A FORWARD -d 1.2.3.4 --dport 22 -j REJECT
iptables -P FORWARD ACCEPT
If checksumming were implemented in this case and the rule no longer
matched a corrupted packet, the packet would still be forwarded.
However, the end point should just discard it. I don't think this
will introduce any new problems except possibly for the ability to
fling loads of corrupted packets (DoS) past firewalls if TCP is
blocked with something like:
iptables -A FORWARD -p tcp --dport 0:65535 -j REJECT
This is probably a rare case, but probably worth noting.
Is there anything else?
Simon-
next prev parent reply other threads:[~2005-04-01 0:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-31 18:57 iptables STILL incorrectly using TCP packet contents without checking header! Simon Kirby
2005-03-31 20:04 ` Jonas Berlin
2005-03-31 23:27 ` Henrik Nordstrom
2005-04-03 18:34 ` Patrick McHardy
2005-04-01 0:03 ` Simon Kirby [this message]
2005-04-05 14:24 ` Amin Azez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050401000340.GA2275@netnation.com \
--to=sim@netnation.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=xkr47@outerspace.dyndns.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.