Sent with Proton Mail secure email. On Saturday, April 20th, 2024 at 11:37, William N. <netfilter@xxxxxxxxxx> wrote: > After spending some time looking for more info and based on this: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_conntrack_proto_tcp.c?h=v5.8#n700 > > I think I figured it out: > > tcp flags & (fin|syn|rst|ack|urg) != { > syn, > syn|urg, > syn|ack, > rst, > rst|ack, > fin|ack, > fin|ack|urg, > ack, > ack|urg > } drop comment "TCP invalid" > > This checks the listed values against the mask "fin|syn|rst|ack|urg". > The same values and mask are used in the conntrack code, i.e. it drops > invalid TCP packets. > > According to my own tests, this works in the ingress hook, i.e. early > drop. > > The only question that remains is performance measurement and > comparison, as mentioned. > > Please let me know what you think. I'd be very interested in seeing some statistics on how many actual invalid packets you see on a live link. Stick some counters in there and collect dropped versus passed packets... My naive guess would be there are only tiny percentage of rejected packets. Eric