I've run into a problem handling tcp packets that have incorrect
checksums. It appears that such packets are assigned state INVALID,
and thus are never treated as part of an ESTABLISHED connection.
Thus, dropping such packets becomes the responsibility of the firewall.
The problem is that unsolicited SYN,ACK packets are also matching
"--state INVALID", and for these the proper action is to send tcp-reset.
I cannot risk sending tcp-reset for an incorrect checksum -- the result
would be that a transmission error would cause the connection to drop.
If I test "--flags SYN,ACK SYN,ACK" then I run the risk of basing my
decision on the flags in a possibly corrupted packet.
Iptables doesn't seem to have any way to match on incorrect checksums.
It looks like the best I can do is check the flags and accept the
possibility that they are corrupted.
Suggestions?
BTW, doesn't this mean that _all_ iptables matches are testing data
that is possibly corrupted?
--
Bob Nichols Yes, "NOSPAM" is really part of my email address.
