From: "U.Mutlu" <for-gmane@mutluit.com>
To: netfilter-devel@vger.kernel.org
Subject: [iptables] tcp handshake: ACK RST silently converted to RST ?
Date: Sun, 25 Sep 2011 14:59:15 +0200 [thread overview]
Message-ID: <j5n8j4$713$1@dough.gmane.org> (raw)
I made a funny observation:
client sends a tcp SYN packet to a served port on server,
server answers with ACK SYN,
client sends ACK RST to abort the 3-way-handshake.
When logging these sequences with the following commands:
iptables -A INPUT -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "SYN IN "
iptables -A OUTPUT -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "SYN OUT "
iptables -A INPUT -p tcp --tcp-flags RST RST -j LOG --log-prefix "RST IN "
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j LOG --log-prefix "RST OUT "
then one sees that the "ACK RST" gets logged only as a "RST".
Is this perhaps a bug of iptables or its log module?
OTOH server itself sends ACK RST (and it gets logged as such) to an
immediate SYN if the port is not open (ie. blocked).
So, is then ACK RST maybe not an allowed answer to an ACK SYN to abort the handshake sequence?
next reply other threads:[~2011-09-25 12:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-25 12:59 U.Mutlu [this message]
2011-09-28 21:14 ` [iptables] tcp handshake: ACK RST silently converted to RST ? Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='j5n8j4$713$1@dough.gmane.org' \
--to=for-gmane@mutluit.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).