Bug 355471
Summary: | A response to a broadcast "ICMP ping" is considered "invalid" by iptables | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | David Tonhofer <bughunt> |
Component: | kernel | Assignee: | Thomas Graf <tgraf> |
Status: | CLOSED NOTABUG | QA Contact: | Martin Jenner <mjenner> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 4.0 | CC: | rkhan, twoerner |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-06-13 20:33:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Tonhofer
2007-10-27 20:46:12 UTC
This is not a userland iptables problem. iptables is only the configuration utility to setup netfilter in the kernel. Assigning to kernel. Red Hat support says this is working as designed. Service Request 1779266: "I discussed this issue with Engineering and they are of the opinion that this is by design and is not a bug. Below is the comments from Engineering." -------------- After thinking about this, i'm going to have to think that this is by design. The stateful matching of iptables classifies this as an invalid packet because there is no stream, related or otherwise coming back from those hosts. While the function may be valid on a network, the "packet" is not valid in regards to connection tracking. -------------- The Workaround is as follows: "if you are dropping INVALID packets and want broadcast ping to work, you should add an iptables rule before the rule to drop INVALID packets. Only then you would be able to accept ICMP replies for broadcast pings." OR agrees. |