Re: Interesting fw log: "ICMP type 3 not embeddable"

From: Ian Jones (roux@attbi.com)
Date: 06/15/02


From: Ian Jones <roux@attbi.com>
Date: Sat, 15 Jun 2002 02:03:15 GMT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Heiming <michael+USENET@heiming.de> writes:

> Those entries showing up in my logs:
>
> Jun 15 00:38:16 host kernel: invalid IN=ppp0 OUT= MAC=
> SRC=217.89.16.115 DST=My.external.IP
> LEN=56 TOS=0x00 PREC=0x00 TTL=56 ID=30304 PROTO=ICMP TYPE=3 CODE=3
> [SRC=My.external.IP DST=172.20.10.1
> LEN=62 TOS=0x00 PREC=0xC0 TTL=249 ID=0 DF PROTO=ICMP TYPE=3 CODE=3 ]
> Jun 15 00:38:16 host kernel: ipt_unclean: (embedded packet) ICMP
> type 3 not embeddable
>
> ICMP type 3 means host not reachable and the message is from
> /usr/src/linux/net/ipv4/netfilter/ipt_unclean.c
>
> Probably triggered by:
>
> [..]
> $IPTABLES -A INPUT -m unclean -i ! $DEV_LOOP -j invalid
> $IPTABLES -A invalid -m limit -j LOG --log-prefix "invalid "
> $IPTABLES -A invalid -j REJECT -j LOG --log-prefix "INVALID "
>
> However, was this really just a somehow malformed packet or is
> there more about it?

I could be off base here, but....

I suspect that you have an attempt to break RFC's in your ruleset. Do
you use any "-j REJECT --reject-with..." rules in response to icmp
errors?

A quick glance through linux/net/ipv4/netfilter/ipt_unclean.c shows
the source of your log message:

,----
| } else {
| /* CHECK: Can't embed ICMP unless known non-error. */
| if (icmph->type >= sizeof(info)/sizeof(struct icmp_info)
| || info[icmph->type].err != ICMP_NOT_ERROR) {
| limpk("ICMP type %u not embeddable\n",
| icmph->type);
| return 0;
| }
`----

As you know an icmp error message must include at least 28 bytes of
the datagram which caused the error to be sent. ICMP errors should
never be sent in response to an ICMP error, but you appear to be
trying to do just that.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE9CpuKwBVKl/Nci0oRAtZBAKCtKMtvp6bniOiU3FsFsZo+X+U3RwCeITvQ
xtazC+ERG3+D9tg6hZcVZg4=
=9Iai
-----END PGP SIGNATURE-----