Connections with SYN aren't NEW

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Loïc Minier" <lool+netfilter@via.ecp.fr>
To: Netfilter <netfilter@lists.netfilter.org>
Subject: Connections with SYN aren't NEW
Date: Sun, 14 Dec 2003 17:23:15 +0100	[thread overview]
Message-ID: <20031214162315.GA897@via.ecp.fr> (raw)

     Hey list,

 I am using a 2.4.22 with the ebtables + br-nf patch of
 ebtables.sourceforge.net. I am currently not DROPping packets, only
 logging for a while as a safety for my new rules on this host.

 I face a problem with some TCP connections: I want to accept new
 TCP connections only if they match both --syn and -m state --state
 NEW. This turns out to be a bad practice in some case where I see
 legitimate new TCP connections with correct flags matching --syn but
 which do not match -m state --state NEW.
   This happens a lot with HTTP clients and with DNS requests, and I
 think this is because of port reuse:
   - the HTTP client opens a connection from port xyz to port 80
   - it finishes the session and closes the connection
   - it reopens another connection with the same port xyz to the same
     host on port 80

 However, grepping the /proc/net/ip_conntrack shows two different
 entries in such cases.

 Am I wrong in thinking the connections should match -m state --state
 NEW, even if a connection happened with the same ports/ips a few
 seconds ago? What can I change to fulfill my wishes?

   Kind regards,

-- 
Loïc Minier <lool@dooz.org>

next             reply	other threads:[~2003-12-14 16:23 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-12-14 16:23 Loïc Minier [this message]
2003-12-14 16:34 ` Connections with SYN aren't NEW Antony Stone
2003-12-14 16:59   ` Loïc Minier
2003-12-14 16:54 ` Antony Stone
2003-12-14 17:24   ` Loïc Minier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20031214162315.GA897@via.ecp.fr \
    --to=lool+netfilter@via.ecp.fr \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.