Re: Handling bad tcp checksums

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Handling bad tcp checksums
Date: Fri, 12 Aug 2005 00:09:37 -0500	[thread overview]
Message-ID: <42FC2F11.1020709@riverviewtech.net> (raw)
In-Reply-To: <dd8o4i$hjr$1@sea.gmane.org>

Robert Nichols wrote:
> I've run into a problem handling tcp packets that have incorrect
> checksums.  It appears that such packets are assigned state INVALID,
> and thus are never treated as part of an ESTABLISHED connection.
> Thus, dropping such packets becomes the responsibility of the firewall. 
>  The problem is that unsolicited SYN,ACK packets are also matching
> "--state INVALID", and for these the proper action is to send tcp-reset. 
>  I cannot risk sending tcp-reset for an incorrect checksum -- the result
> would be that a transmission error would cause the connection to drop.
> If I test "--flags SYN,ACK SYN,ACK" then I run the risk of basing my
> decision on the flags in a possibly corrupted packet.
> 
> Iptables doesn't seem to have any way to match on incorrect checksums.
> It looks like the best I can do is check the flags and accept the
> possibility that they are corrupted.
> 
> Suggestions?

If we presume that you are correctly DROPing traffic that is in an INVALID state when the checksum is invalid and you are just wanting to send a reset to an invalid connection with the SYN and ACK flags set you could do something like the following:

... -m state --state INVALID --flags SYN,ACK SYN,ACK ... -j MyResetTarget
... -m state --state INVALID ... -j DROP



Grant. . . .

> BTW, doesn't this mean that _all_ iptables matches are testing data
> that is possibly corrupted?

     prev parent reply	other threads:[~2005-08-12  5:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-08 22:59 Handling bad tcp checksums Robert Nichols
2005-08-12  5:09 ` Grant Taylor [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42FC2F11.1020709@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.