* ipt_unclean query
@ 2006-04-08 8:06 Sumit
2006-04-08 16:44 ` Phil Oester
0 siblings, 1 reply; 2+ messages in thread
From: Sumit @ 2006-04-08 8:06 UTC (permalink / raw)
To: netfilter-devel
Hi Devs,
After making an unclean DROP ruleset I got "not-working" complains form
some of my clients who using specific stock-trading application.
Simply looking to dmesg I found there are few message states that
ipt_unclean: TCP flags bad: 0x0015
This message mean unclean match is dropping tcp packet with ACK,RST,
and FIN flags. This I confirm with ipt_unclean.c code
As per RFC793 (TCP)
... ... ...
In all states except SYN-SENT, all reset (RST) segments are validated by
checking their SEQ-fields. A reset is valid if its sequence number is
in the window.
... ... ...
Then is there any significance of dropping ACK+RST+FIN combination?
Happy Netfiltering,
--
_____ __ __ ____ ____ __ ______
/\ ___\ /\ \ /\ \ /\ \ \/ /\ \ /\ \ /\__ _\
\ \ ____\ \ \ \\_| \\ \ \_ /\ \ \\ \ \\__ \ \/
\//\___ \ \ \______ / \ \__\ \ \__\\ \__\ \ \__\
\/_____/ \/_____ / \/__/ \/__/ \/__/ \/__/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-04-08 16:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-08 8:06 ipt_unclean query Sumit
2006-04-08 16:44 ` Phil Oester
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.