Re: iptables and INVALID packet filtering.

[Pascal Hambourg <pascal@plouf.fr.eu.org>]

Hello,

Matthew Babcock a écrit :
> Please excuse the delayed response. 

No problem.

> To answer your question, no I cannot, yet.
> 
> However, I can demonstrate iptables following what the "state" be on UDP
> packets using DNS.
[...]
> You should see as I do, that the UDP DNS request are logged under the
> state NEW, and that the response was logged under the state ESTABLISHED.

Nothing new here. UDP possible states are :
- NEW for a datagram creating a new connection or belonging to a
"connection" which has seen traffic only in one direction ;
- ESTABLISHED for a datagram belonging to a "connection" which has seen
traffic in both directions ;
- RELATED when a conntrack helper expects a UDP datagram related to an
existing connection (e.g. TFTP or SIP).

Note that this is not specific to UDP, conntrack does the same with all
connectionless protocols.

> I consider this, iptables differentiating between "New" and
> "Established" UDP "connections", reason to extrapolate that iptables can
> follow state in UDP packets such as flagging on "Invalid" or out of
> state UDP packets.

UDP is connectionless by nature, so how would you define the INVALID
state of a UDP datagram ?

> I aim to try and create an "Invalid" UDP state packet. I will follow up
> if I try regardless of the outcome. 

Good luck. I meant it.