* Handling bad tcp checksums
@ 2005-08-08 22:59 Robert Nichols
2005-08-12 5:09 ` Grant Taylor
0 siblings, 1 reply; 2+ messages in thread
From: Robert Nichols @ 2005-08-08 22:59 UTC (permalink / raw)
To: netfilter
I've run into a problem handling tcp packets that have incorrect
checksums. It appears that such packets are assigned state INVALID,
and thus are never treated as part of an ESTABLISHED connection.
Thus, dropping such packets becomes the responsibility of the firewall.
The problem is that unsolicited SYN,ACK packets are also matching
"--state INVALID", and for these the proper action is to send tcp-reset.
I cannot risk sending tcp-reset for an incorrect checksum -- the result
would be that a transmission error would cause the connection to drop.
If I test "--flags SYN,ACK SYN,ACK" then I run the risk of basing my
decision on the flags in a possibly corrupted packet.
Iptables doesn't seem to have any way to match on incorrect checksums.
It looks like the best I can do is check the flags and accept the
possibility that they are corrupted.
Suggestions?
BTW, doesn't this mean that _all_ iptables matches are testing data
that is possibly corrupted?
--
Bob Nichols Yes, "NOSPAM" is really part of my email address.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Handling bad tcp checksums
2005-08-08 22:59 Handling bad tcp checksums Robert Nichols
@ 2005-08-12 5:09 ` Grant Taylor
0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2005-08-12 5:09 UTC (permalink / raw)
To: netfilter
Robert Nichols wrote:
> I've run into a problem handling tcp packets that have incorrect
> checksums. It appears that such packets are assigned state INVALID,
> and thus are never treated as part of an ESTABLISHED connection.
> Thus, dropping such packets becomes the responsibility of the firewall.
> The problem is that unsolicited SYN,ACK packets are also matching
> "--state INVALID", and for these the proper action is to send tcp-reset.
> I cannot risk sending tcp-reset for an incorrect checksum -- the result
> would be that a transmission error would cause the connection to drop.
> If I test "--flags SYN,ACK SYN,ACK" then I run the risk of basing my
> decision on the flags in a possibly corrupted packet.
>
> Iptables doesn't seem to have any way to match on incorrect checksums.
> It looks like the best I can do is check the flags and accept the
> possibility that they are corrupted.
>
> Suggestions?
If we presume that you are correctly DROPing traffic that is in an INVALID state when the checksum is invalid and you are just wanting to send a reset to an invalid connection with the SYN and ACK flags set you could do something like the following:
... -m state --state INVALID --flags SYN,ACK SYN,ACK ... -j MyResetTarget
... -m state --state INVALID ... -j DROP
Grant. . . .
> BTW, doesn't this mean that _all_ iptables matches are testing data
> that is possibly corrupted?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-08-12 5:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-08 22:59 Handling bad tcp checksums Robert Nichols
2005-08-12 5:09 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox