[PATCH 28/43] Unifies libip[6]t_tcp.c into libxt_tcp.c.
Pascal Hambourg
pascal.mail at plouf.fr.eu.org
Mon Jul 16 00:45:16 CEST 2007
Hello,
Jan Engelhardt a écrit :
>
> On Jul 15 2007 03:11, Yasuyuki KOZAKAI wrote:
>
>>Note: libipt_tcp handled '--syn' as '--flags SYN,RST,ACK,FIN SYN', but
>> libip6t_tcp handled it as '--flags SYN,RST,ACK SYN'. I keep this
>> difference for now.
>
> Since SYN+FIN does not make much sense (unless the ipv6-tcp protocol _really_
> allowed that), libipt_tcp's definition should be used.
I just asked about this difference - and the reason why the FIN check
was not originally present in libiptc_tcp but added later, in 1.3.2 - in
the netfilter user list a few days ago. No reply yet. IMHO it does not
matter whether SYN+FIN makes sense or not but whether it is a valid
combination or not per the RFCs. I have always believed that there is
some precedence among TCP flags, e.g. :
- RST has precedence over SYN and FIN ; if RST set, ignore SYN and FIN
- SYN has precedence over FIN ; if SYN set, ignore FIN
Have I been wrong all this time ?
More information about the netfilter-devel
mailing list