netfilter buglog - Dec 2014 - [Bug 988] New: manpage: mention that REJECT should be used with care

https://bugzilla.netfilter.org/show_bug.cgi?id=988

            Bug ID: 988
           Summary: manpage: mention that REJECT should be used with care
           Product: iptables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: vda.linux at googlemail.com

I've got a user report. They are using the following set of rules:

-m state --state ESTABLISHED,RELATED -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
...<more open port snipped>...
-j REJECT --reject-with icmp-host-prohibited

and they experience aborted TCP connections. After much investigation,
the root cause was found to be ACKs with invalid checksums
not matching "-m state --state ESTABLISHED,RELATED", and therefore
falling through to the last rule.

I think that this behavior is in fact correct, so I'll propose to my users
to close it as NOTABUG and fix their rules to drop invalid packets.

Sadly, this behavior is also *not obvious*:
the above rule set looks okay at the first glance.

I propose to amend iptables manpage to help future poor victims of this quirk.
In fact, manpage doesn't mention REJECT target at all, so let's fix that
too.

A pseudo-patch follows:

TARGETS
       A  firewall  rule specifies criteria for a packet and a target.  If the
       packet does not match, the next rule in the chain is the  examined;  if
       it does match, then the next rule is specified by the value of the tar?
       get, which can be the name of a user-defined chain or one of  the  spe?
-      cial values ACCEPT, DROP, QUEUE or RETURN.
+      cial values ACCEPT, DROP, REJECT, QUEUE or RETURN.

       ACCEPT  means to let the packet through.  DROP means to drop the packet
       on the floor.  QUEUE means to pass the packet to userspace.   (How  the
       packet can be received by a userspace process differs by the particular
       queue handler.  2.4.x and  2.6.x  kernels  up  to  2.6.13  include  the
       ip_queue  queue handler.  Kernels 2.6.14 and later additionally include
       the nfnetlink_queue queue handler.  Packets with a target of QUEUE will
       be  sent  to queue number '0' in this case. Please also see the
NFQUEUE
       target as described  later  in  this  man  page.)   RETURN  means  stop
       traversing  this  chain  and  resume  at  the next rule in the previous
       (calling) chain.  If the end of a built-in chain is reached or  a  rule
       in a built-in chain with target RETURN is matched, the target specified
       by the chain policy determines the fate of the packet.

+      REJECT discards the packet just like DROP does, but it also sends back +
     an error message to the host sending the packet that was blocked.
+      Note that overzealous use of this target can break your networking
+      by generating spurious connection aborts when an unexpected packet
+      is seen. It is advisable to REJECT only packets in specific state
+      (for example, "iptables -A INPUT -m state --state NEW -j
REJECT"
+      and drop the rest: "iptables -A INPUT -j DROP")
+      and/or drop invalid packets before rejecting the rest
+      ("iptables -A INPUT -m state --state INVALID -j DROP" before a
generic
+      "iptables -A INPUT -j REJECT")

TABLES
-      There are currently three independent tables (which tables are  present
+      There are several independent tables (which tables are  present
       at  any time depends on the kernel configuration options and which mod?
       ules are present).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141202/2201e045/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=988

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |pablo at netfilter.org
         Resolution|---                         |WONTFIX

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Denys Vlasenko from comment #0)
> I've got a user report. They are using the following set of rules:
> 
> -m state --state ESTABLISHED,RELATED -j ACCEPT
> -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
> ...<more open port snipped>...
> -j REJECT --reject-with icmp-host-prohibited
People have to handle the INVALID state, which is the one that those invalid
checksum packets are reaching.

I mean, there are four ct states, and it's a good practise if your ruleset
handles them all.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141202/07c46399/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=988

--- Comment #2 from Denys Vlasenko <vda.linux at googlemail.com> ---
I don't understand your WONTFIX.

I understand if you don't want to go into REJECT's specifics, but are
you okay
with manpage not even mentioning that REJECT *exists*?!!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141204/ec03a863/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=988

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Denys Vlasenko from comment #2)
> I understand if you don't want to go into REJECT's specifics, but
are you
> okay with manpage not even mentioning that REJECT *exists*?!!
The list of targets in the manpage refers to the standard targets, which are
the built-in actions that the Netfilter framework provides.

We have more than 30 different targets (not only REJECT) so I don't think it
makes sense to list them all there.

man iptables-extensions lists and details the existing extensions.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20141204/87f5278e/attachment.html>