[Bug]: (some) ICMP replies marked as invalid.

[Bug]: (some) ICMP replies marked as invalid.

[Anders Fugmann]

Hi,

The rule:
	iptables -I OUTPUT -m state --state INVALID -j DROP
(all other chains empty with policy accept), results in ICMP replies to
tracetoute being dropped.

Is dropping invalid packets on the output chain not recommended, or is 
the code determining if a packet is invalid broken?

Regards
Anders Fugmann

Re: [Bug]: (some) ICMP replies marked as invalid.

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 878 bytes --]

On Tue, May 27, 2003 at 11:17:39PM +0200, Anders Fugmann wrote:
> Hi,
> 
> The rule:
> 	iptables -I OUTPUT -m state --state INVALID -j DROP
> (all other chains empty with policy accept), results in ICMP replies to
> tracetoute being dropped.
> 
> Is dropping invalid packets on the output chain not recommended, or is 
> the code determining if a packet is invalid broken?

since this is a bug report, please put it into bugzilla.netfilter.org.

thanks a lot.

> Regards
> Anders Fugmann

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]