Posted: Tue Oct 19, 2021 12:00 Post subject: nf_conntrack_checksum - SysCTL function
What exactly does "nf_conntrack_checksum" option in SysCTL do? The official descripton is:
Code:
"nf_conntrack_checksum - BOOLEAN
0 - disabled
not 0 - enabled (default)
Verify checksum of incoming packets. Packets with bad checksums are in INVALID state. If this is enabled, such packets will not be considered for connection tracking."
Does that mean that setting that option to 0 (disabled) will allow/accept packets with bad checksums onto my network? My IPTables include rules to drop INVALID packets, but I don't know whether the mentioned conntrack SysCTL option negates those rules.
Some say that packets with bad checksums will still be dropped by kernel if that option is set to 0 (disabled).
the bad checksum should be associated with the ip header, and so if that is not correct, then who knows where the packet was intended... The intent of the iptables rule is that those are invalid packets (ie never should be present) some systems will respond to them, so by filtering them out is better.
The conntrack is a different subsystem, so in this case the the kernel will either ignore the packets if this is set the packets will automatically not be put in the conntrack subsystem
What I am trying to figure out is whether "nf_conntrack_checksum=1" required for IPTables to drop packets with bad check sums if IPTables rules already specify to drop INVALID packets.