Re: unclean match

To: Bernd Eckenfels <lists@lina.inka.de>
Cc: Debian Firewall List <debian-firewall@lists.debian.org>
Subject: Re: unclean match
From: Daniel Pittman <daniel@rimspace.net>
Date: Wed, 21 Aug 2002 11:19:55 +1000
Message-id: <[🔎] 87y9b1ovno.fsf@enki.rimspace.net>
In-reply-to: <[🔎] 20020820131511.GA13437@lina.inka.de> (Bernd Eckenfels's message of "Tue, 20 Aug 2002 15:15:11 +0200")
References: <[🔎] 1029846010.633.11.camel@z618> <[🔎] 20020820123440.GA12667@lina.inka.de> <[🔎] 1029847585.634.21.camel@z618> <[🔎] 20020820131511.GA13437@lina.inka.de>

On Tue, 20 Aug 2002, Bernd Eckenfels wrote:
> On Tue, Aug 20, 2002 at 02:46:25PM +0200, Michael Kreilmeier wrote:
>> well, that's kind of what I thought. Does this module make it
>> unnecessary to filter out any bad combination of tcp-flags tha
>> classic way?
> 
> you should realy read the source:
> 
> /usr/src/linux/net/ipv4/netfilter/ipt_unclean.c
> 
> it filters for example...

[...]

>         /* CHECK: TCP reserved bits zero. */
>         if(tcp_flag_word(tcph) & TCP_RESERVED_BITS) {
>                 limpk("TCP reserved bits not zero\n");
>                 return 0;
>         }

Ack. Something to watch out for, then: the unclean match used to
consider any ECN packet "unclean". That snippet looks like it still may.

Be very careful if you enable this match, then, that you don't break ECN
connections.

        Daniel

-- 
Hocine Bibo Aut In Eum Digitos Insero?

Reply to:

Follow-Ups:
- Re: unclean match
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- unclean match
  - From: Michael Kreilmeier <michi@kreilmeier.at>
- Re: unclean match
  - From: Bernd Eckenfels <lists@lina.inka.de>
- Re: unclean match
  - From: Michael Kreilmeier <michi@kreilmeier.at>
- Re: unclean match
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Re: unclean match
Next by Date: Re: unclean match
Previous by thread: Re: unclean match
Next by thread: Re: unclean match
Index(es):
- Date
- Thread