Re: TCP Connection tracking and SYN/ACK/PSH

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tim Burress <tim@variosecure.net>
To: Henrik Nordstrom <hno@marasystems.com>
Cc: netfilter-devel@lists.netfilter.org,
	NIIBE Yutaka <gniibe@fsij.org>,
	ukai@debian.or.jp
Subject: Re: TCP Connection tracking and SYN/ACK/PSH
Date: Fri, 22 Apr 2005 18:38:03 +0900	[thread overview]
Message-ID: <4268C5FB.5040201@variosecure.net> (raw)
In-Reply-To: <Pine.LNX.4.61.0504200842001.22001@filer.marasystems.com>

Hello!

Henrik Nordstrom wrote:

> On Wed, 20 Apr 2005, Tim Burress wrote:
>
>> explicitly forbidden during the handshake [RFC 793, pg. 30]. In any 
>> other protocol, a request to perform a prohibited operation would, I 
>> think, be considered invalid, so in the end I think Netfilter is 
>> doing the right thing, inconvenient as it may be for a few devices.
>
>
> I am of a slightly different opinion. These segments is not invalid 
> (only odd) and won't cause any disturbance to the TCP protocol as long 
> as the standard on how to process received segments is followed.
>
> I am of the opinion that as long as the traffic is not explicitly 
> violating the protocol conntrack should track it. Stricter checking 
> belongs in a separate match such as unclean if desired imho.

I think the segments are invalid (or at least in-something), but I agree 
with your second point. Since PSH has no bearing on TCP connection 
state, it seems like it might be better to treat PSH the same way as ECE 
and CWR, and have conntrack ignore it. Other layers could then decide 
whether to accept or drop combinations like SYN+ACK+PSH depending on how 
strictly they want to enforce protocol conventions in the firewall. It's 
not so much a question of whether the segments are valid or not as 
whether strict protocol enforcement (beyond what is needed for 
connection tracking) is really conntrack's job. And since I didn't 
design it, I'm not sure!

Tim

next prev parent reply	other threads:[~2005-04-22  9:38 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-17 10:37 TCP Connection tracking and SYN/ACK/PSH NIIBE Yutaka
2005-04-18  1:34 ` Henrik Nordstrom
2005-04-18 23:06   ` Phil Oester
2005-04-20  1:30   ` Tim Burress
2005-04-20  7:02     ` Re[2]: " Maciej Soltysiak
2005-04-20  7:42     ` Henrik Nordstrom
2005-04-22  9:38       ` Tim Burress [this message]
2005-04-22 13:45         ` Jozsef Kadlecsik
2005-04-22 15:34           ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4268C5FB.5040201@variosecure.net \
    --to=tim@variosecure.net \
    --cc=gniibe@fsij.org \
    --cc=hno@marasystems.com \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=ukai@debian.or.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.