bugzilla-daemon at netfilter.org
2014-Dec-02 14:03 UTC
[Bug 988] New: manpage: mention that REJECT should be used with care
https://bugzilla.netfilter.org/show_bug.cgi?id=988 Bug ID: 988 Summary: manpage: mention that REJECT should be used with care Product: iptables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: iptables Assignee: netfilter-buglog at lists.netfilter.org Reporter: vda.linux at googlemail.com I've got a user report. They are using the following set of rules: -m state --state ESTABLISHED,RELATED -j ACCEPT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT ...<more open port snipped>... -j REJECT --reject-with icmp-host-prohibited and they experience aborted TCP connections. After much investigation, the root cause was found to be ACKs with invalid checksums not matching "-m state --state ESTABLISHED,RELATED", and therefore falling through to the last rule. I think that this behavior is in fact correct, so I'll propose to my users to close it as NOTABUG and fix their rules to drop invalid packets. Sadly, this behavior is also *not obvious*: the above rule set looks okay at the first glance. I propose to amend iptables manpage to help future poor victims of this quirk. In fact, manpage doesn't mention REJECT target at all, so let's fix that too. A pseudo-patch follows: TARGETS A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the tar? get, which can be the name of a user-defined chain or one of the spe? - cial values ACCEPT, DROP, QUEUE or RETURN. + cial values ACCEPT, DROP, REJECT, QUEUE or RETURN. ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.) RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet. + REJECT discards the packet just like DROP does, but it also sends back + an error message to the host sending the packet that was blocked. + Note that overzealous use of this target can break your networking + by generating spurious connection aborts when an unexpected packet + is seen. It is advisable to REJECT only packets in specific state + (for example, "iptables -A INPUT -m state --state NEW -j REJECT" + and drop the rest: "iptables -A INPUT -j DROP") + and/or drop invalid packets before rejecting the rest + ("iptables -A INPUT -m state --state INVALID -j DROP" before a generic + "iptables -A INPUT -j REJECT") TABLES - There are currently three independent tables (which tables are present + There are several independent tables (which tables are present at any time depends on the kernel configuration options and which mod? ules are present). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141202/2201e045/attachment.html>
bugzilla-daemon at netfilter.org
2014-Dec-02 15:39 UTC
[Bug 988] manpage: mention that REJECT should be used with care
https://bugzilla.netfilter.org/show_bug.cgi?id=988 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |pablo at netfilter.org Resolution|--- |WONTFIX --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Denys Vlasenko from comment #0)> I've got a user report. They are using the following set of rules: > > -m state --state ESTABLISHED,RELATED -j ACCEPT > -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT > ...<more open port snipped>... > -j REJECT --reject-with icmp-host-prohibitedPeople have to handle the INVALID state, which is the one that those invalid checksum packets are reaching. I mean, there are four ct states, and it's a good practise if your ruleset handles them all. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141202/07c46399/attachment.html>
bugzilla-daemon at netfilter.org
2014-Dec-04 15:13 UTC
[Bug 988] manpage: mention that REJECT should be used with care
https://bugzilla.netfilter.org/show_bug.cgi?id=988 --- Comment #2 from Denys Vlasenko <vda.linux at googlemail.com> --- I don't understand your WONTFIX. I understand if you don't want to go into REJECT's specifics, but are you okay with manpage not even mentioning that REJECT *exists*?!! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141204/ec03a863/attachment.html>
bugzilla-daemon at netfilter.org
2014-Dec-04 15:22 UTC
[Bug 988] manpage: mention that REJECT should be used with care
https://bugzilla.netfilter.org/show_bug.cgi?id=988 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Denys Vlasenko from comment #2)> I understand if you don't want to go into REJECT's specifics, but are you > okay with manpage not even mentioning that REJECT *exists*?!!The list of targets in the manpage refers to the standard targets, which are the built-in actions that the Netfilter framework provides. We have more than 30 different targets (not only REJECT) so I don't think it makes sense to list them all there. man iptables-extensions lists and details the existing extensions. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141204/87f5278e/attachment.html>
Reasonably Related Threads
- [PATCH] drivers/virtio/virtio_ring.c: Deinline virtqueue_add, save 1016 bytes
- [PATCH] drivers/virtio/virtio_ring.c: Deinline virtqueue_add, save 1016 bytes
- [PATCH] x86 spinlock: Fix memory corruption on completing completions
- [PATCH] x86 spinlock: Fix memory corruption on completing completions
- [PATCH v5 0/5] x86: faster smp_mb()+documentation tweaks