All of lore.kernel.org
 help / color / mirror / Atom feed
* ipt_unclean query
@ 2006-04-08  8:06 Sumit
  2006-04-08 16:44 ` Phil Oester
  0 siblings, 1 reply; 2+ messages in thread
From: Sumit @ 2006-04-08  8:06 UTC (permalink / raw)
  To: netfilter-devel

Hi Devs,
	After making an unclean DROP ruleset I got "not-working" complains form 
some of my clients who using specific stock-trading application.
	Simply looking to dmesg I found there are few message states that
ipt_unclean: TCP flags bad: 0x0015
	This message mean unclean match is dropping tcp packet with ACK,RST, 
and FIN flags. This I confirm with ipt_unclean.c code
	As per RFC793 (TCP)
...	...	...
In all states except SYN-SENT, all reset (RST) segments are validated by 
checking their SEQ-fields.  A reset is valid if its sequence number is 
in the window.
...	...	...
	Then is there any significance of dropping ACK+RST+FIN combination?

Happy Netfiltering,
--
  _____     __    __    ____   ____    __    ______
/\  ___\  /\  \ /\  \ /\  \ \/ /\  \ /\  \ /\__   _\
\ \ ____\ \ \  \\_|  \\ \  \_ /\ \  \\ \  \\__ \  \/
  \//\___ \ \ \______ / \ \__\   \ \__\\ \__\  \ \__\
   \/_____/  \/_____ /   \/__/    \/__/ \/__/   \/__/

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: ipt_unclean query
  2006-04-08  8:06 ipt_unclean query Sumit
@ 2006-04-08 16:44 ` Phil Oester
  0 siblings, 0 replies; 2+ messages in thread
From: Phil Oester @ 2006-04-08 16:44 UTC (permalink / raw)
  To: Sumit; +Cc: netfilter-devel

On Sat, Apr 08, 2006 at 01:36:41PM +0530, Sumit wrote:
> Hi Devs,
> 	After making an unclean DROP ruleset I got "not-working" complains 
> 	form some of my clients who using specific stock-trading application.

Unclean is unsafe, and is scheduled to be removed from pom within the
next 30 days.  Don't use it.

Phil

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-04-08 16:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-08  8:06 ipt_unclean query Sumit
2006-04-08 16:44 ` Phil Oester

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.