conntrack has problems with syn-ack-psh set

conntrack has problems with syn-ack-psh set

[Shaun Savage]

I am have a problem getting iptables to work with a bain dead linksys 
printserver.  After is receives a syn packet it send a syn-ack-psh 
packet.  Is psh allowed here?  The conntrack can't find a match and the 
  packet is INVALID.  NO connection.

my firewall looks like this, please forgive wraparound, spelling,...
eth1 net
eth0 local


$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 9100 -j DNAT --net-dest 
                                                192.168.0.49

$IPT -t nat -A POSTROUTING -o eth1 -j MASQUERADE

$IPT -A FORWARD  -i eth0  state --state INVALID -j DROP


Do I have mangle the packet first to get rid of the push flag? how?
Is this a feature if iptables?

shaun

Re: conntrack has problems with syn-ack-psh set

[Jason Opperisano]

On Mon, Dec 27, 2004 at 04:59:52PM -0800, Shaun Savage wrote:
> I am have a problem getting iptables to work with a bain dead linksys 
> printserver.  After is receives a syn packet it send a syn-ack-psh 
> packet.  Is psh allowed here?  The conntrack can't find a match and the 
>  packet is INVALID.  NO connection.

SYN-ACK-PSH is not a valid response to a SYN packet.  you will never
get iptables (or any stateful firewall) to recognize this as a valid
connection.  you will have to allow this communication without relying on
"-m state."

-j

Re: conntrack has problems with syn-ack-psh set

[Michael Mueller]

Hi Jason,

you wrote:
> SYN-ACK-PSH is not a valid response to a SYN packet.  you will never

What does make you think so? I can not find any hint in RFC973 and 
RFC1211 saying so.
IMO it is a perfectly valid reply, even if it a rather unusual one and 
might be a case for applying a normalization (here removing the PSH flag 
and any data) on it.


Michael