Hello, I'm seeking advice on how to log an IPv4 packet with no transport layer - no ICMP/TCP/UDP/etc... layer, though the IPv4 header does specify the protocol field as such. I'm using sendip to generate such packets, in this case an IP packet with protocol specified as UDP but no UDP header nor payload (and .1 = pc, .254 = firewall): sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.254 -ip 17 -v 192.168.1.254 Assume the last rule in my mangle PREROUTING table is to log the packet with the LOG target. In mangle I have a rule: iptables -t mangle -I PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay It seems that inspecting an IP packet as malformed as the one I am sending causes this rule to silently 'consume' the packet, and it fails to be processed by any more rules. If I change the rule to just specify udp, and not inspect the port (which obviously isn't there because there is no L4 payload) then everything works well: iptables -t mangle -D PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay iptables -t mangle -I PREROUTING -p udp -j TOS --set-tos Minimize-Delay So something about specifying a port is giving it grief - it's not gracefully handling the lack of UDP header well. I've tried the same using TCP instead of UDP and experience identical results. My question is how can I best approach logging (and not processing any further) packets as malformed as the ones I've described above? I have observed that checking if the state is INVALID seems to filter out the packets nicely, assuming it's called before any rule that inspects L4 fields: iptables -t mangle -I PREROUTING -m state --state INVALID -j DROP_AND_LOG where DROP_AND_LOG is another chain that does what it say (-j LOG, -j DROP) However I've never tested state in mangle before - only ever in filter. I'm unsure if this approach is sound or if it is likely to introduce problems. From my casual observations today it seems to work fine - however I haven't tested exhaustively yet. Is there a better approach to the problem? Am I safe to use '-m state --state INVALID' in mangle? Is there a bug in the way iptables handles L4 processing? (I've noticed the same bug with rules using multiport as well) If a rule cannot match the condition should it not more onto the next rule to test against? iptables 1.4.7 linux kernel 2.6.32.9 Regards, Mike C. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
