Hi,
due to a bug in a home-router, I had to deal with ICMP packets with a
wrong checksum. I discovered that netfilter does not drop ICMP packets
with a wrong checksum in the ICMP header.
I have set up IP forwarding and NAT on a Debian host using iptables. On
this host iptables/netfilter allows outgoing "ICMP destination
unreachable" packets with a wrong ICMP checksum. These ICMP packets are
translated by NAT and forwarded to the public network interface.
When I replace the Debian host with an OpenWRT router, outgoing "ICMP
destination unreachable" packets need to have a correct checksum.
Otherwise they are dropped. OpenWRT also uses iptables/netfilter for
packet filtering and NAT. However, there is no iptables-rule that could
explain this behavior.
I would like to know why these two versions of netfilter behave
differently. Is there a configuration option to tell netfilter to filter
these messages? Should NAT implementations filter these ICMP messages
with a wrong checksum?
I know this is a rather special issue, but maybe someone can help :)
Regards
Florian Wohlfart
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
