nf_conntrack_checksum - SysCTL function

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 118

PostPosted: Tue Oct 19, 2021 12:00    Post subject: nf_conntrack_checksum - SysCTL function Reply with quote
What exactly does "nf_conntrack_checksum" option in SysCTL do? The official descripton is:
Code:
"nf_conntrack_checksum - BOOLEAN
0 - disabled
not 0 - enabled (default)
Verify checksum of incoming packets. Packets with bad checksums are in INVALID state. If this is enabled, such packets will not be considered for connection tracking."


Does that mean that setting that option to 0 (disabled) will allow/accept packets with bad checksums onto my network? My IPTables include rules to drop INVALID packets, but I don't know whether the mentioned conntrack SysCTL option negates those rules.

Some say that packets with bad checksums will still be dropped by kernel if that option is set to 0 (disabled).
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1178

PostPosted: Wed Oct 20, 2021 21:24    Post subject: Reply with quote
the bad checksum should be associated with the ip header, and so if that is not correct, then who knows where the packet was intended... The intent of the iptables rule is that those are invalid packets (ie never should be present) some systems will respond to them, so by filtering them out is better.

The conntrack is a different subsystem, so in this case the the kernel will either ignore the packets if this is set the packets will automatically not be put in the conntrack subsystem
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 118

PostPosted: Sat Oct 23, 2021 13:50    Post subject: Reply with quote
What I am trying to figure out is whether "nf_conntrack_checksum=1" required for IPTables to drop packets with bad check sums if IPTables rules already specify to drop INVALID packets.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum