I've just upgraded to 2.4.7, and I'm getting lots of errors:
ipt_unclean: TCP flags bad: 4
I only see them when my ppp link is up - pppd version 2.4.0
Looking at ipt_unclean.c it seems that this message will be generated
when I send a packet with flags set to RST only.
I've run a ppp session with the pppd option "record" turned on, and
analysed the output with "ethereal". This is indeed what is on the
wire. I'm no expert on TCP I'm afraid. The complete TCP stream
follows:
------------------------------------------------------------------------------
No. Time Source Destination Protocol Info
129 12.800000 62.137.113.223 news.svr.pol.co.uk TCP
1148 > nntp [SYN] Seq=3684831495 Ack=0 Win=5840 Len=0
131 12.900000 news.svr.pol.co.uk 62.137.113.223 TCP
nntp > 1148 [SYN, ACK] Seq=2607886663 Ack=3684831496 Win=32736 Len=0
137 13.300000 62.137.113.223 news.svr.pol.co.uk TCP
1148 > nntp [FIN, ACK] Seq=3684831502 Ack=2607887466 Win=7090 Len=0
142 13.400000 62.137.113.223 news.svr.pol.co.uk TCP
1148 > nntp [RST] Seq=3684831503 Ack=0 Win=0 Len=0
------------------------------------------------------------------------------
--
Alan J. Wylie http://www.glaramara.freeserve.co.uk/
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
Antoine de Saint-Exupery
There was a bug introduced with kernel 2.4.6, but it was
solved with one of the latest 2.4.7-pre patch, i do not remember which
one.
actually i was happily using tcp_unclean on my production servers, but
with 2.4.6 i was forced to avoid it.
I still have to try 2.4.7 to see if it works properly.
If you use a rule like
iptables -A INPUT -m unlean -j DROP
are you still able to connect in/out of your box?
bests
Luigi
On Sun, 22 Jul 2001, Alan J. Wylie wrote:
>
> I've just upgraded to 2.4.7, and I'm getting lots of errors:
>
> ipt_unclean: TCP flags bad: 4
>
> I only see them when my ppp link is up - pppd version 2.4.0
>
> Looking at ipt_unclean.c it seems that this message will be generated
> when I send a packet with flags set to RST only.
>
> I've run a ppp session with the pppd option "record" turned on, and
> analysed the output with "ethereal". This is indeed what is on the
> wire. I'm no expert on TCP I'm afraid. The complete TCP stream
> follows:
>
> ------------------------------------------------------------------------------
> No. Time Source Destination Protocol Info
>
> 129 12.800000 62.137.113.223 news.svr.pol.co.uk TCP
> 1148 > nntp [SYN] Seq=3684831495 Ack=0 Win=5840 Len=0
>
> 131 12.900000 news.svr.pol.co.uk 62.137.113.223 TCP
> nntp > 1148 [SYN, ACK] Seq=2607886663 Ack=3684831496 Win=32736 Len=0
>
> 137 13.300000 62.137.113.223 news.svr.pol.co.uk TCP
> 1148 > nntp [FIN, ACK] Seq=3684831502 Ack=2607887466 Win=7090 Len=0
>
> 142 13.400000 62.137.113.223 news.svr.pol.co.uk TCP
> 1148 > nntp [RST] Seq=3684831503 Ack=0 Win=0 Len=0
> ------------------------------------------------------------------------------
>
> --
> Alan J. Wylie http://www.glaramara.freeserve.co.uk/
> "Perfection [in design] is achieved not when there is nothing left to add,
> but rather when there is nothing left to take away."
> Antoine de Saint-Exupery
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
On Sun, 22 Jul 2001 19:51:43 +0200 (CEST), Luigi Genoni <[email protected]> said:
> There was a bug introduced with kernel 2.4.6, but it was solved with
> one of the latest 2.4.7-pre patch, i do not remember which one.
> actually i was happily using tcp_unclean on my production servers,
> but with 2.4.6 i was forced to avoid it. I still have to try 2.4.7
> to see if it works properly.
> If you use a rule like
> iptables -A INPUT -m unlean -j DROP
^^^^^^
unclean, unclean <ding> ;-)
> are you still able to connect in/out of your box?
$MYIPTABLES --append INPUT --match unclean --jump DROP
has been at the start of my rules for a long time. I wasn't seeing
any *serious* problems browsing the web, etc., but was getting a few
"unable to connect to host" pages. Some of them went away on refresh,
but some sites I just couldn't get to. On the other hand, that's
normal for the Internet.
--
Alan J. Wylie http://www.glaramara.freeserve.co.uk/
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
Antoine de Saint-Exupery
This is normale behaviour, if with 2.4.7 kernel
this rule acts this way, that means it does work.
are you telling me you see this behavious with kernel 2.4.7?
Luigi
On Sun, 22 Jul 2001, Alan J. Wylie wrote:
> On Sun, 22 Jul 2001 19:51:43 +0200 (CEST), Luigi Genoni <[email protected]> said:
>
> > There was a bug introduced with kernel 2.4.6, but it was solved with
> > one of the latest 2.4.7-pre patch, i do not remember which one.
>
> > actually i was happily using tcp_unclean on my production servers,
> > but with 2.4.6 i was forced to avoid it. I still have to try 2.4.7
> > to see if it works properly.
>
> > If you use a rule like
>
> > iptables -A INPUT -m unlean -j DROP
> ^^^^^^
> unclean, unclean <ding> ;-)
>
> > are you still able to connect in/out of your box?
>
> $MYIPTABLES --append INPUT --match unclean --jump DROP
>
> has been at the start of my rules for a long time. I wasn't seeing
> any *serious* problems browsing the web, etc., but was getting a few
> "unable to connect to host" pages. Some of them went away on refresh,
> but some sites I just couldn't get to. On the other hand, that's
> normal for the Internet.
>
> --
> Alan J. Wylie http://www.glaramara.freeserve.co.uk/
> "Perfection [in design] is achieved not when there is nothing left to add,
> but rather when there is nothing left to take away."
> Antoine de Saint-Exupery
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
In message <[email protected]> you write:
>
> I've just upgraded to 2.4.7, and I'm getting lots of errors:
>
> ipt_unclean: TCP flags bad: 4
Please try this patch...
Note that this should be a warning to people not to reject packets
based on ipt_unclean, or we'll end up with another situation like the
ECN blackholes when the next Funky New Thing comes along...
Thanks,
Rusty.
--
Premature optmztion is rt of all evl. --DK
diff -urN -I \$.*\$ -X /home/rusty/devel/kernel/kernel-patches/dontdiff --minimal linux-2.4.7-official/net/ipv4/netfilter/ipt_unclean.c working-2.4.7-unclean/net/ipv4/netfilter/ipt_unclean.c
--- linux-2.4.7-official/net/ipv4/netfilter/ipt_unclean.c Sun Jul 22 13:13:27 2001
+++ working-2.4.7-unclean/net/ipv4/netfilter/ipt_unclean.c Mon Jul 23 18:29:11 2001
@@ -331,6 +331,7 @@
tcpflags = ((u_int8_t *)tcph)[13];
if (tcpflags != TH_SYN
&& tcpflags != (TH_SYN|TH_ACK)
+ && tcpflags != TH_RST
&& tcpflags != (TH_RST|TH_ACK)
&& tcpflags != (TH_RST|TH_ACK|TH_PUSH)
&& tcpflags != (TH_FIN|TH_ACK)
On Mon, 23 Jul 2001 18:43:26 +1000, Rusty Russell <[email protected]> said:
> In message <[email protected]> you
> write:
>> I've just upgraded to 2.4.7, and I'm getting lots of errors:
>>
>> ipt_unclean: TCP flags bad: 4
> Please try this patch...
That fixes it.
Many thanks.
--
Alan J. Wylie http://www.glaramara.freeserve.co.uk/
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
Antoine de Saint-Exupery