From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grant Taylor Subject: Re: Handling bad tcp checksums Date: Fri, 12 Aug 2005 00:09:37 -0500 Message-ID: <42FC2F11.1020709@riverviewtech.net> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Robert Nichols wrote: > I've run into a problem handling tcp packets that have incorrect > checksums. It appears that such packets are assigned state INVALID, > and thus are never treated as part of an ESTABLISHED connection. > Thus, dropping such packets becomes the responsibility of the firewall. > The problem is that unsolicited SYN,ACK packets are also matching > "--state INVALID", and for these the proper action is to send tcp-reset. > I cannot risk sending tcp-reset for an incorrect checksum -- the result > would be that a transmission error would cause the connection to drop. > If I test "--flags SYN,ACK SYN,ACK" then I run the risk of basing my > decision on the flags in a possibly corrupted packet. > > Iptables doesn't seem to have any way to match on incorrect checksums. > It looks like the best I can do is check the flags and accept the > possibility that they are corrupted. > > Suggestions? If we presume that you are correctly DROPing traffic that is in an INVALID state when the checksum is invalid and you are just wanting to send a reset to an invalid connection with the SYN and ACK flags set you could do something like the following: ... -m state --state INVALID --flags SYN,ACK SYN,ACK ... -j MyResetTarget ... -m state --state INVALID ... -j DROP Grant. . . . > BTW, doesn't this mean that _all_ iptables matches are testing data > that is possibly corrupted?