* TCP sequence checking
@ 2015-06-03 13:18 Lukas Hubschmid (s)
2015-06-03 17:16 ` Jozsef Kadlecsik
0 siblings, 1 reply; 4+ messages in thread
From: Lukas Hubschmid (s) @ 2015-06-03 13:18 UTC (permalink / raw)
To: netfilter
Hello everybody,
Does iptables support TCP sequence checking, to check if a TCP packet
has a valid sequence number (according to previous packets of the same
TCP connection)?
Many thanks in advance!
KR,
Lukas
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: TCP sequence checking
2015-06-03 13:18 TCP sequence checking Lukas Hubschmid (s)
@ 2015-06-03 17:16 ` Jozsef Kadlecsik
2015-06-03 17:52 ` Lukas Hubschmid (s)
0 siblings, 1 reply; 4+ messages in thread
From: Jozsef Kadlecsik @ 2015-06-03 17:16 UTC (permalink / raw)
To: Lukas Hubschmid (s); +Cc: netfilter
On Wed, 3 Jun 2015, Lukas Hubschmid (s) wrote:
> Does iptables support TCP sequence checking, to check if a TCP packet has a
> valid sequence number (according to previous packets of the same TCP
> connection)?
Yes, have a look at net/netfilter/nf_conntrack_proto_tcp.c in the kernel
source tree.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: TCP sequence checking
2015-06-03 17:16 ` Jozsef Kadlecsik
@ 2015-06-03 17:52 ` Lukas Hubschmid (s)
2015-06-03 19:00 ` Jozsef Kadlecsik
0 siblings, 1 reply; 4+ messages in thread
From: Lukas Hubschmid (s) @ 2015-06-03 17:52 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter
Thank you Jozsef!
I am not quite sure if I read the C-code correctly - so TCP sequence
checking seems to be enabled by default, right? Or do I need to set some
flag when adding a rule?
KR,
Lukas
Am 03.06.2015 um 19:16 schrieb Jozsef Kadlecsik:
> On Wed, 3 Jun 2015, Lukas Hubschmid (s) wrote:
>
>> Does iptables support TCP sequence checking, to check if a TCP packet has a
>> valid sequence number (according to previous packets of the same TCP
>> connection)?
> Yes, have a look at net/netfilter/nf_conntrack_proto_tcp.c in the kernel
> source tree.
>
> Best regards,
> Jozsef
> -
> E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
> H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: TCP sequence checking
2015-06-03 17:52 ` Lukas Hubschmid (s)
@ 2015-06-03 19:00 ` Jozsef Kadlecsik
0 siblings, 0 replies; 4+ messages in thread
From: Jozsef Kadlecsik @ 2015-06-03 19:00 UTC (permalink / raw)
To: Lukas Hubschmid (s); +Cc: netfilter
On Wed, 3 Jun 2015, Lukas Hubschmid (s) wrote:
> I am not quite sure if I read the C-code correctly - so TCP sequence checking
> seems to be enabled by default, right? Or do I need to set some flag when
> adding a rule?
No, it's default enabled. You can (partiall) switch it off globally via a
sysctl setting, not with some flag in a rule.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-03 19:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-03 13:18 TCP sequence checking Lukas Hubschmid (s)
2015-06-03 17:16 ` Jozsef Kadlecsik
2015-06-03 17:52 ` Lukas Hubschmid (s)
2015-06-03 19:00 ` Jozsef Kadlecsik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox