REJECT using invalid data

Kiran Kumar Immidi immidi at spymac.com
Wed Dec 8 03:47:35 CET 2004


On Wednesday 08 December 2004 03:44, Pablo Neira wrote:

>Now I see, if state tracking is not enable there's no way to avoid this 
>problem. But I guess that we should drop all malformed packets, not only 
>those which have bad checksums. Would you like to give a try to the 
>patch attached?

  Just a comment on this;

+static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =

  This makes the array about 64 bytes long, would be better to store as an 
array of valid flags rather than as a bit mask;

-- 
Regards,
Kiran Kumar Immidi




More information about the netfilter-devel mailing list